Security Policy
Keeping our clients' data secure is an absolute top priority for us. Our goal is to provide a secure environment, while also being mindful of application performance and the overall user experience.
We take the security of your data very seriously at SmartAudit. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security. If you have additional questions regarding security, we are happy to answer them. Please write to support@smartaudit.co and we will respond as quickly as we can.
We contract our digital hardware to cloud vendors that adhere to the applicable data regulations and compliances. Our infrastructure runs on data centers provided by Amazon Web Services (AWS), which is SOC2 and PCI Level 1 certified among others. AWS, as a platform provider, has a number of security and privacy focused features, which we leverage wherever applicable.
Our servers run on stable, regularly patched, versions of Amazon Linux with carefully configured security groups, isolated VPC environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.
We do not have in-house data centers. Amazon Web Services (AWS) manages the physical and environmental security of our data centers. Our internal security program covers physical security at our offices.
For more details, please review AWS' control and security measures.
We distribute and serve our products and services exclusively over HTTPS and secure WebSockets. All network interactions use TLS with 2048-bit digital signatures and 128-bit AES encryption. Additionally, we use HTTP Strict-Transport-Security to ensure the applications never interact with the servers on an insecure network path.
More details are available at https://aws.amazon.com/compliance/data-center/controls/
Our applications run on the latest stable version of Node.js. Our security team sets architectural guidelines, conducts code reviews, and deploys every software system that can interface with customer data.
Our developers are trained with specific attention toward security. Our automated and manual code review processes look for any code that could potentially violate security policies.
All customer data is stored in databases on MongoDB Atlas , which are configured securely. Data is stored with at least dual redundancy, with daily backups, and is accessible only within the private cloud.
We place strict controls over our employees’ access to the data you and your users make available via the SmartAudit services, as more specifically defined in your agreement with SmartAudit covering the use of the SmartAudit services (“Customer Data”). The operation of the SmartAudit services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the SmartAudit services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and policies in place to ensure that any access to Customer Data is logged.
All of our employees and contract personnel are bound by our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.
SmartAudit conducts background checks on all employees before employment and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability and confidentiality of the SmartAudit services.
We maintain intelligent, web application firewalls on our load balancers which, along with the elastic scaling capacity of our compute instances, mitigate attacks at the application layer.
We implement measures to detect and prevent log tampering or interruptions. In case of a customer-reported breach, the CEO, and the CTO are notified automatically and the report is responded to within a few hours as per set policies.
We process payments using Braintree (A PayPal Service), which falls into level 3 or 4 of PCI compliance.
We understand that you rely on the SmartAudit services to work. We’re committed to making SmartAudit a highly available service that you can rely on. Our infrastructure runs on systems that are fault-tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster recovery measures regularly and has a 24-hour on-chat team to quickly resolve unexpected incidents.
We store source code and configuration files in private GitHub repositories. The security and development teams conduct code reviews and execute a static code analysis tools on every code commit. Reviewers shall check for compliance with our conventions and style, potential bugs, potential performance issues, and that the commit is bounded to only its intended purpose. Security reviews shall be conducted on every code commit to security-sensitive modules. Such modules include those that pertain directly to authentication, authorization, access control, auditing, and encryption.
Smart Audit system has built in Role Based Access Controls (RBACs). Access to workfiles have to be actively given by appropriate senior roles. Logins are protected by Google Recaptcha.
Customer Data is stored redundantly in multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures which allow recovery from a major disaster. Customer Data and our source code are backed up every week. The team is alerted in the event of a failure in this system. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.