Indio clients trust us with hundreds of thousands of pieces of client data. That trust is based on our team keeping that data both private and secure. This document is intended to provide further transparency about how we protect this important data.
Our internal security team drives a security program that includes the following areas of focus: network security, infrastructure controls, policies, disaster recovery, employee awareness, intrusion detection, and incident response.
We periodically test our infrastructure and applications for vulnerabilities and take remedial action on those that could potentially impact the security of customer data. Our security team engages in penetration testing and continually seeks to evaluate new tools in order to increase the coverage and depth of our assessments.
We’ve partnered with Amazon Web Services to provide a secure and reliable cloud environment for our software. We use a combination of load balancers, firewalls, and VPNs to ensure that network access is restricted on an as-needed basis. We limit access to our production infrastructure and strongly authenticate that access.
All network communication in the Indio platform occurs over secure SSL/TLS. Our internal infrastructure rejects all packets sent on ports other than port 443 and redirects all unsecured port 80 requests over to port 443. We regularly audit the details of our implementation and the certificates that we serve.
In addition to SSL connections, automated data communication goes through additional encryption layers for enhanced security during transit and at rest for sensitive data.
Indio never stores your password in plaintext. All user passwords are stored using BCrypt2 with multiple rounds of hashing and a unique salt for each credential. All internal account access is protected by 2 Factor Authentication and Indio employees are required to change passwords every 90 days.
All data at rest is encrypted using industry best practices with AES-256. Media disposal is handled in accordance with NIST guidelines in special publication 800-88. We take advantage of AWS’s cryptographic erasure processes in order to ensure that repurposing storage does not result in exposing private customer data.
The Indio platform performs server-side logging of all interactions with our services for security and E&O purposes. This includes web server access logging as well as activity logging for actions taken through our APIs.
AVAILABILITY / RELIABILITY
We operate a fault tolerant architecture layout in order to ensure the Indio platform is there when you need it.
- Redundant database backups across multiple data centers
- Redundant network infrastructure including load balancers and VPCs
- Redundant application servers and virtual instances
- Multi-zone CDNs for static content
We backup all customer content at least once daily. We do not utilize portable or removable media for backups. All backups are encrypted with AES-256.
Our internal Incident Policy includes procedures for how we manage and respond to extraordinary events, including disaster recovery and breach handling:
Disaster Response – Audits of our backup and failover systems are conducted quarterly to ensure we are well prepared to handle any potential disasters. Partnering with Amazon Web Services allows us to switch between availability zones if a problem occurs in a datacenter.
Breach Response – Our internal Breach Response policy lists the steps to follow in the event a breach occurs, including internal and external communication, prevention of data loss, research, documentation, remediation and resolution, including amendments to our internal processes and law enforcement notification if necessary.
Updated: May 9th, 2018