Customer Integration Security Policy
This document outlines our recommended approach for data integration of customer data. Every use case is different, but the following items should cover most scenarios:
- All data will be stored in an Amazon S3 bucket;
- This S3 bucket will be encrypted by default at REST using the proven AWS cryptographic system KMS;
- This S3 bucket will version all content by default;
- Clients will have two possibilities of access:
Using AWS SDK and connected to the AWS Identity and Access Management platform. We will provide AWS credentials to access the dedicated bucket. AWS provides SDKs in C++, Go, Java, Javascript, .Net, NodeJS, PHP, Python and Ruby.
If the client is not familiar with AWS and S3, we will provide a secure SFTP server to access the S3 bucket transparently. We will provide Username / Password credentials to login to the SFTP server. All credentials will be store in AWS Secret Store manager.
- When ACOER provides the password to clients, we will use a secure system ensuring:
One time secrets - as soon as a secret is decrypted, it will only be shown once and deleted afterwards;
Securely encrypted – using modern, state-of-the-art encryption libraries and algorithms based on OpenSSL;
Expiring secrets - a secret will automatically disappear after a specified lifetime, ranging from 5 mins up to 7 days;
Secure connection - the public website is completely protected by an SSL certificate, the Internet's leading encryption technology
- All credentials are tested and verified before any communication with client IT staff;
- After processing (for integration with Acoer analytics technologies), all data is securely stored in a MongoDB data collection (hosted in AWS but managed by MongoDB directly). Using a service fully managed by MongoDB ensures best-in-class automation and proven practices guaranteeing availability, scalability, and compliance with the most demanding data security and privacy standards.
- The entire MongoDB is also fully encrypted using AWS KMS;
- All user access through our web portal is provided through state of the art Okta user credentialing (including use of one-time tokens and multi-factor authentication);
- All of our applications are permissions-based and implement a multi-role security model (not all users have privileged data views);
- Finally, all communications in transit are encrypted using HTTPS by default
