Security is one of the most common areas for questions from users. The platform being offered as a cloud solution, it is natural for users to be curious and concerned about the security of their individual identities and organizational data on the platform. This page answers the most commonly asked questions about the platform's security.
I. Physical Security
1. Where is this application hosted?
The platform is hosted on Amazon Web Services (AWS) (external link), a Cloud hosting service offered by Amazon.com. Specifically, the platform is hosted in a data center run by Amazon.com in Mumbai, India. Amazon.com has intense focus on infrastructure and procedural security for software applications hosted on AWS. This enables the Platform to benefit from AWS's continued focus and innovations in Cloud security and related areas.
2. Who controls the data centers?
AWS data centers are controlled, managed and run directly by Amazon.com. The physical components of the Cloud computing infrastructure required to run the Platform, such as, servers, routers, hard disks, cables, etc. are under the direct control of AWS staff. Amazon.com transparently shares its policies and practices around safety and security of physical infrastructure components. These can be reviewed on the AWS Compliance Help Center (external link).
3. Who else has physical access to the data centers?
Amazon.com strictly controls access to all its data centers from where it provides AWS services to its customers. As part of its standard operating procedures, Amazon.com does not allow physical access to its data centers to anyone other than their own staff and authorized third-party auditors. Moreover, third-party auditors are provided physical access specifically for the period of an external security audit of the controls and procedures in place for ensuring security at the data centers.
4. What security standards does AWS follow?
AWS complies with leading security standards such as ISO-27001. Extensive information on the current certifications held by AWS is available from the AWS Compliance Help Center (external link).
5. Do AWS data centers get audited?
AWS data centers get audited on a periodic basis by competent third-party auditors. More information on this is available on the AWS Compliance Help Center (external link).
6. Where can I find more information about AWS policies and procedures related to security?
Amazon.com maintains up-to-date help centers dedicated to Security (external link) and Compliance (external link). Users may visit these to gain greater insight into AWS security related policies and procedures.
II. Application Security
1. What security standards are followed for the application?
We actively follow guidelines associated with OWASP Top 10 Web Security Vulnerabilities and FIPS 140-2 during design and development activities.
2. How do you prevent unauthorized access?
We utilize several mechanisms, including but not limited to the following, for preventing unauthorized access on the Platform:
- User authentication and authorization across the Platform
- Role-based access control across the Platform
- Intrusion Detection
- Multiple layers of content filtering
- Monthly software patches
- Half-yearly software upgrades
More details are available on the page dedicated to application security.
III. Data Security
1. How do you prevent access to data while it is in transit between client browsers and your servers?
All our applications use strong SSL encryption for data in transit. SSL makes sure that any data transferred between client browsers and websites remains impossible to read by scrambling the data in transit, keeping it readable to the sender and the recipient.
Look for the security lock in the web browser's address bar to ensure that the connection is protected by SSL.
2. How do you prevent access to data stored on your servers?
All data is written to encrypted disks so that data center staff or any other support personnel involved with the physical administration of servers does not have access to raw data.
On our team only authorized personnel are allowed to access application data and only for specific purposes such as taking backups, investigating problems reported by users and application upgrades. Authority to access application data is granted expressly by an Information Security Manager, who reports directly to the company management. Access to data stores is granted only on a time-leased basis depending on the purpose of access. Once the lease has expired, the personnel to whom the access was granted automatically lose access to the data.
All confidential data stored on our servers is encrypted using strong, industry-standard algorithms. This prevents even our team memebrs from reading and using any confidential customer information.
More details are available on the page dedicated to data security.