Last Updated: July 31, 2018
The security, integrity, and availability of your data are our top priorities. To ensure you never have to worry, we use a multi-layered approach to protect and monitor all your information.
1. Physical Security
Baarei utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: https://aws.amazon.com/security
2. Application Security
We undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Our third party security assessments cover all areas of our application including testing for OWASP Top 10 web application vulnerabilities. Baarei works closely with external security assessors to review the security of our application and apply best practices.
Issues found in our application are risk ranked, prioritized, assigned to the responsible team for remediation, and Baarei’s security team reviews each remediation plan to ensure proper resolution.
Penetration Testing and Vulnerability Assessments
Third party security testing of the Baarei application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team.
Our vulnerability management process is designed to remediate risks without customer interaction or impact. Baarei is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Baarei’s environment, ranked based on risk, and assigned to the appropriate team for resolution.
3. Data Security
All private data exchanged with Baarei is always protected using Transport Layer Security (TLS/SSL). If encrypted communication is interrupted, the Baarei application is inaccessible. Baarei does not “fail open.” Baarei is careful not to log sensitive values in clear text.
Protection of Data at Rest
Customer data at Baarei is encrypted at rest using a secure symmetric cipher. AES with a key length of 256 bits is used for both storage of live Service data and Baarei Service backups.
Customer Data Storage Location
Baarei Service data currently resides in the United States of America.
For Service users, we will retain your personally identifying information (PII) for as long as your account is active or as needed to provide you access and use rights, which may include a limited 60-day tail period to allow for an orderly wind-down. Generally speaking, “full resolution” electronic information transmitted or received by you in relation to your use of the Service will be retained for a rolling 15-month look-back period, after which such information may be aggregated on the basis of a one-minute resolution for the duration of the Service period and any tail period. In addition, we may retain and use your information as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.
Customer Data Access
Only the CEO, CTO and certain support personnel have access to customer data via access controlled and logged mechanisms. Personnel engaged in customer support access a support application similar in structure to our end user web application that allows us to access customer data. Access to this system requires authenticating to our central identity provider and using two factor authentication. Access to the customer support portal is strictly logged. Technical operations personnel have access to the raw service data storage. This access requires using a management VPN, authentication via public key, and two factor authentication. Access to the staging and production management infrastructure is strictly logged. All other personnel are prohibited from accessing customer data.
4. Customer Security Best Practices
Encrypt Data in Transit
Enable HTTPS for applications and SSL database connections to protect sensitive data transmitted to and from applications.
Secure Development Practices
Apply development best practices for your chosen development language and framework to mitigate known vulnerability types such as those on the OWASP Top 10 Web Application Security Risks.
5. Contact Us
If you have any questions or concerns about our security policy, please email us at security (at) baarei . com.