Security and privacy are our top priority
At theGist, we take our customers’ data very seriously. Since day one, security and privacy have been “job zero” for us and part of every decision that we make.
All of our infrastructure is hosted using AWS managed services. This means that all of our applications and platforms follow the best industry standards available in terms of security, reliability, privacy and encryption that AWS can provide. AWS complies with dozens of Security Frameworks and Standards and by only selecting managed services, we ensure that we leave the heavy lifting of managing and securing the underlying infrastructure to AWS.
We only use AWS Managed services and we physically and logically isolate them on a private VPC network. Both network traffic and access control is strictly controlled and we follow a “Zero Trust” model. An example of this is our usage of AWS’s IAM, where having access to the private network is not enough to access a given system, and also being able to identify the user and grant access to the resources based on the user role and permissions is required. As part of our continuous compliance and DevSecOps practices, we monitor AWS security event streams, like CloudTrail and GuardDuty. We are notified when our base images have any vulnerabilities and take immediate action.
We perform security background checks for all prospective employees prior to making an offer of employment. Our onboarding process also focuses on security and privacy. We require all employees to complete security training. We deploy a company-managed security solution agent to ensure workstation hard drives are encrypted, a password manager is being used and an antivirus solution is installed.
Backups and Disaster Recovery
All of our Databases are hosted on AWS private networks and use AWS Managed services exclusively. This includes AWS RDS and ElastiCache. Access to databases is provided only to applications or select engineers via a AWS IAM and uses AWS VPN in order to provide IAM-based authorization and encryption when connecting to an RDS Instance. Daily backups are enabled for all databases, as well as continuous point-in-time backups that allow us to restore data from any point in the past. We follow AWS best practices in terms of running our platform with High Availability and Fault Tolerance in mind and we are continuously iterating on this front. We take good pride in our technology stack and ensure it’s always improving. As Gene Kim put it in the Phoenix Project, “If you are not improving, entropy guarantees that you are actually getting worse, which ensures that there is no path to zero errors, zero work-related accidents, and zero loss.”
We use encryption-at-rest on all of our databases and more specifically, the 256-bit Advanced Encryption Standard (AES-256), with symmetric keys managed by AWS. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly. In terms of encryption-in-transit, we enforce HTTPS communication on all of our services and use SSL SHA-256 ECDSA Certificates running on the latest TLS 1.3.
We believe that it’s not possible to be 100% secure in the current landscape of evolving threats. That’s why we always incorporate a percentage of security-related improvements to all of our development cycles and try to bring security in as early in the planning process as possible. If you have any questions or want to discuss further please reach out to email@example.com. We hope you found this article useful!