The Securiti platform was developed using multiple data centers to ensure high redundancy and availability to meet our commitments to uptime and performance. Privaci is the first product suite offered on the Securiti platform.
Securiti uses security tools to scan its environment and services. We also engage professional security vendors to perform third-party penetration tests and audits of our environment on an annual basis, respectively, while internal system scans are performed weekly. Securiti uses multiple data centers (AWS availability zones) to provide redundancy, and data centers are geographically distributed and are highly redundant within an AWS region.
Access to customer data
A subset of Secutiti’s Personnel has access to customer data as necessary to support the platform. Individual access is granted based on the role and job responsibilities of the individual. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis.
Secure data handling and destruction
Securiti has taken a simple, no nonsense approach to security.
Our solution is hosted on Amazon Web Services. AWS is responsible for the security of the underlying cloud infrastructure and SECURITI takes the responsibility of securing workloads we deploy in AWS. AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused.
Securiti makes use of per-customer, virtual database instances to logically separate one customer’s data from other customers’ data. When a customer stops using the service, securiti destroys the corresponding virtual database instance. Any customer data that is identified and cataloged by SECURITI as personal data is subjected to a one-way, irreversible hash and stored in the virtual database instance of the customer. At no point, personal data is captured in clear-text in logs or database.
Securiti platform’s first product, Privaci, provides the broad functionality of Privacy Operations and Management (PrivacyOps) to its customers. Securiti platform It is provided as a multi-tenant, cloud-based service, accessible on the internet via web browsers such as Chrome, Firefox, etc. As a user of the Securiti platform, customers should be proactive in recognizing the value, sensitivity, and need to safeguard the information provided by the service and access to the policy enforcement capabilities. This document details Securiti customer responsibilities as they relate to use of the Securiti platform. It is the responsibility of Securiti customers to familiarize themselves with the information and procedures set forth below and comply with them.
Safeguarding of assets & information
To safeguard information assets and policy enforcement capabilities available in the Securiti platform, the customers’ IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their Securiti platform account credentials. As with most cloud services, access to the Securiti platform requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Securiti platform service, it is the customer’s responsibility to manage which end users should be given access. Customers should also define when access should be taken away from the end users. For example, access should be revoked upon end user’s separation from employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Securiti platform service.
Securiti’s platform service should be considered sensitive and confidential by Securiti platform users. Users should follow information security best practices in ensuring access to their account credentials is appropriately limited, as well as ensuring that the information and functionality provided by the Securiti platform service is protected and restricted from unauthorized use. Securiti platform users are responsible for maintaining the security and confidentiality of their user credentials (e.g., Login ID and Password), and are responsible for all activities and uses performed under their account credentials whether authorized by them or not. By establishing user credentials and accessing the Securiti platform, end users of the Securiti platform service agree to comply with these requirements to safeguard assets and account information.
Securiti platform service is accessible to the global Internet public, as a result, great care must be exercised by Securiti platform users in protecting their subscription against unauthorized access and use of their credentials. By establishing user credentials and accessing the Securiti platform service, end users agree to proactively protect the security and confidentiality of their user credentials and never share service account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to use or access their Securiti platform accounts. Any loss of control of passwords or user identifications could result in the loss of “Personally Identifiable Data (PII)” and the culpable account owner(s) may be liable for the actions taken under their service account credentials whether they authorized the activity or not. Additionally, when establishing Securiti platform account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be easily guessable.
Reporting operational issues
All Securiti services are monitored 24×7 and the status of the platform is updated at status.securiti.ai. Any scheduled maintenance is also posted on the status page. On the occasion that Securiti users observe performance issues, problems or service outages, users can open a ticket at support.securiti.ai or email email@example.com to report such issues.
Incidents and breaches
By establishing Securiti platform account credentials or accessing its service, end users of the service agree to notify Securiti immediately of any security incident, including any suspected or confirmed breach of security by opening a support ticket at support.status.ai or by emailing firstname.lastname@example.org or email@example.com. Also, users of the service agree to logout or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion. Securiti platform users should also notify Securiti immediately if they observe any activity or communications in other forums that may indicate that other Securiti customers have had their accounts compromised. Lastly, Securiti encourages users to practice responsible disclosure by notifying Securiti of any identified security vulnerabilities. Securiti is dedicated to providing secure services to clients, and will triage all security vulnerabilities that are reported. Furthermore, Securiti will prioritize and fix security vulnerabilities in accordance with the risk that they pose.
Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Securiti users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.
Responsible disclosure policy
Securiti is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you are a dedicated security researcher or vulnerability hunter and have discovered a security flaw in the Securiti platform including the cloud application and infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Securiti. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not known to us. While reporting the security vulnerability to Securiti’s Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details. We determine the impact of vulnerability by looking into the ease of exploitation and business risks associated with the vulnerability.
As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Securiti’s security team commits to:
- Acknowledge the receipt of reported security vulnerability in a timely fashion
- Notify you when the vulnerability is remediated
- Extend our gratitude by providing a token of appreciation in supporting us to make our customers safe and secure
Please send the details of the discovered vulnerability or any security issue to: firstname.lastname@example.org.