INTRODUCTION
Indio clients trust us with hundreds of thousands of pieces of client data. That trust is based on our team keeping that data both private and secure. This document is intended to provide further transparency about how we protect this important data.
SECURITY PROGRAM
Our internal security team drives a security program that includes the following areas of focus: network security, infrastructure controls, policies, disaster recovery, employee awareness, intrusion detection, and incident response.
We periodically test our infrastructure and applications for vulnerabilities and take remedial action on those that could potentially impact the security of customer data. Our security team engages in penetration testing and continually seeks to evaluate new tools in order to increase the coverage and depth of our assessments.
NETWORK SECURITY
We’ve partnered with Amazon Web Services to provide a secure and reliable cloud environment for our software. We use a combination of load balancers, firewalls, and VPNs to ensure that network access is restricted on an as-needed basis. We limit access to our production infrastructure and strongly authenticate that access.
All network communication in the Indio platform occurs over secure SSL/TLS. Our internal infrastructure rejects all packets sent on ports other than port 443 and redirects all unsecured port 80 requests over to port 443. We regularly audit the details of our implementation and the certificates that we serve.
In addition to SSL connections, automated data communication goes through additional encryption layers for enhanced security during transit and at rest for sensitive data.
ACCOUNT SECURITY
Indio never stores your password in plaintext. All user passwords are stored using BCrypt2 with multiple rounds of hashing and a unique salt for each credential. All internal account access is protected by 2 Factor Authentication and Indio employees are required to change passwords every 90 days.
DATA STORAGE
All data at rest is encrypted using industry best practices with AES-256. Media disposal is handled in accordance with NIST guidelines in special publication 800-88. We take advantage of AWS’s cryptographic erasure processes in order to ensure that repurposing storage does not result in exposing private customer data.
ACTIVITY LOGGING
The Indio platform performs server-side logging of all interactions with our services for security and E&O purposes. This includes web server access logging as well as activity logging for actions taken through our APIs.
AVAILABILITY / RELIABILITY
We operate a fault tolerant architecture layout in order to ensure the Indio platform is there when you need it.
This includes
- Redundant database backups across multiple data centers
- Redundant network infrastructure including load balancers and VPCs
- Redundant application servers and virtual instances
- Multi-zone CDNs for static content
We backup all customer content at least once daily. We do not utilize portable or removable media for backups. All backups are encrypted with AES-256.
INCIDENT POLICY
Our internal Incident Policy includes procedures for how we manage and respond to extraordinary events, including disaster recovery and breach handling:
Disaster Response – Audits of our backup and failover systems are conducted quarterly to ensure we are well prepared to handle any potential disasters. Partnering with Amazon Web Services allows us to switch between availability zones if a problem occurs in a datacenter.
Breach Response – Our internal Breach Response policy lists the steps to follow in the event a breach occurs, including internal and external communication, prevention of data loss, research, documentation, remediation and resolution, including amendments to our internal processes and law enforcement notification if necessary.
Updated: May 9th, 2018
Assurance Programs
CSA STAR
Applied Systems has been proactive in working with the Cloud Security Alliance whose mission is to promote best practice in the provision of security assurance within Cloud Computing. The CSA Security, Trust & Assurance Registry (CSA STAR) is a free, publicly accessible registry documenting security controls published by various cloud service providers, thereby helping users assess the security of Cloud services they use or are considering contracting with.
SOC 3
A SOC 3 report is a general use report of the SOC 2 reports which covers how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. These reports are issued by independent third party auditors covering the principles of Security, Availability, Confidentiality, and Privacy.
Indio is SOC 3 compliant. Read the report.
Responsible Disclosures
We take security seriously at Indio. As part of our ongoing commitment to provide a best-in-class cloud service, we leverage independent third parties to help us strengthen our security. If you think you have discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner by using the form linked below.