This Security Statement is aimed to be transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.
If you have any questions, you can contact our team at firstname.lastname@example.org.
Application and user security
- SSL/TLS encryption: SSL/TLS is used to ensure data is securely transmitted between our site and intended recipient. All data sent to and from the AirManual site uses SSL/TLS.
- Data at rest encryption: The application database is encrypted when stored in database tables, temporary files, and backups.
- User authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique email addresses and passwords that must be entered each time a user logs on. A session cookie records encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
- User passwords: User application passwords have minimum complexity requirements. Passwords are individually salted and hashed.
- Payment information: Payment information, including credit card details, is handled by Stripe - the industry leader in this field. We do not store any credit card details on our own systems. You can review their security here.
- Data portability: AirManual supports you in exporting process data from our systems to Excel so that you can back it up, or use it with other applications.
- Data centers: Our information systems infrastructure (servers, networking equipment, etc.) is managed by Google who are accredited with SSAE16 Type II SOC1, SOC2 (Security and Availability Only), and SOC3.
- Data center security: Data center access is limited only to authorized personnel, and is protected by badges and biometric scanning; security cameras; access and video surveillance log retention; 24x7 onsite staff and unmarked facilities. Physical security audited by independent firms annually.
- Environmental controls: Environmental controls are implemented and monitored to help mitigate against the risk of service interruption caused by fires, floods and other forms of natural disasters.
- Location: All user data is stored on servers located in Europe (and regulated by EU data protection), and we will notify you in advance of any plans to change this.
- Uptime: The site is continuously monitored for uptime, with immediate escalation to AirManual staff for any downtime.
- Third party scans: Weekly security scans are performed using third party tools.
- Testing: All updates to the AirManual site are subject to functional and security testing before being pushed to the customer-facing site.
- Firewall: Firewall restricts access to all ports except a minimal set required by the application.
- Patching: The latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
- Access control: Access to the server is restricted to a small number of staff authenticated over SSH with key-based authentication. Access to perform any harmful actions is further restricted by role-based rules and complex passwords.
- Logging and auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.
- Backup frequency: Cloud SQL is set-up with daily backups and binary logs to enable point-in-time recovery.
Organizational Administrative Security
- Employee screening: We perform background screening on all employees.
- Training: We provide security and technology use training for employees.
- Service providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
- Access: Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis.
- Audit logging: We maintain and monitor audit logs on our services and systems.
- Information security policies: We maintain internal information security policies, including incident response plans, and regularly review and update them.
Software Development Practices
- Stack: The backend of the AirManual site uses NodeJS services run on Google App Engine with a Cloud SQL PostgreSQL database.
- Coding practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.
Handling of Security Breaches
Despite best efforts and adhering to best practices, no method of electronic storage is perfectly secure and we cannot guarantee absolute security. In the event of any security breach, we will notify all users via email notifications and/or through notifications on the AirManual site itself.
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely.
You should also ensure that you have sufficient security on your own systems, such that any data you download to your own computer is stored securely and is only seen by the intended parties.