Data Center Security
Last updated on December 28, 2020.
Certainly uses Amazon Web Services (AWS) and Microsoft Azure Cloud (Azure) to host our services and complies with the same SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications as they do. Only authorized personnel have physical access to the secured data centers which contain the servers on which web servers and databases are running. The data centers are in Frankfurt, Germany and Ireland. Access is restricted, monitored and all logs are documented.
Amazon Web Services has detailed descriptions of data storage, security and compliance on the web pages here below:
- Data Centers and Security: aws.amazon.com/security
- Data Compliance: aws.amazon.com/compliance
- Data Protection: aws.amazon.com/compliance/eu-data-protection
Azure has detailed descriptions of data storage, security and compliance on the web pages here below:
- Data Centers and Security: azure.microsoft.com/en-us/global-infrastructure/locations
- Data Center location and Storage: microsoft.com/en-us/trust-center/privacy/data-location
Logging and monitoring
We continuously monitor and log all systems as do our service providers.
Our team of DevOps is available 24/7 in emergency cases relating to security intrusion or possible threats.
We use secure HTTPS transport to protect our network communication over public networks..
There is restricted access to the Certainly Production System and employees go through a thorough two-factor authentication before gaining access to the system. Data access is controlled and monitored on a regular basis by our DevOps team.
Data in transit is encrypted through HTTPS and TLS with an "A-" score against SSL Labs security tests. Data at rest is encrypted using the 256-bit Advanced Encryption Standard (AES-256).
Secure Development (SDLC)
The platform has a production and a staging environment which are completely separated from one another. This prevents in any private customer data be used in the staging environment.
System configurations and integrations can only be accessed and administered through the console by Certainly lead developers.
Secure Credential Storage
No user passwords are stored in Certainly databases and credentials go through a secure SOC 2 compliant third-party.
API Security & Authentication
Certainly's API security and authentication happens through an SSL link and the verification of the user. Username and password or a JWT request are the methods of authentication used in authorizing against the API.
Employee Check and Agreements
Background checks are done on all new employees starting at Certainly in accordance with local laws. After the screening and hiring process, employees have to sign a Non-Disclosure and Confidentiality agreements. We also ensure that only employees with a work-related purpose have access to the personal data.
If you have any questions relating to our Data Policy please email us at firstname.lastname@example.org.