We take your security very seriously.
Here’s an overview of the security controls we’ve put in place to protect your data.
Key Security Features
We enable encryption of sensitive data both at rest and in transit over public networks.
We host your data in its own secure database.
We have point-in-time recovery for our databases, which are stored in authentication-protected storage.
We are hosted on AWS, which provides robust, physical data center security and environmental controls.
We use OAuth2 to securely authorize other SaaS services and do not store your username or password for those services.
Customers can configure roles that further restrict what actions their users can take on their data.
You will always own your data.
We regularly work with industry-leading third party penetration testing firms.
All the enterprise-grade certifications you need
You can’t focus on delivering excellent customer experiences if you’re worried about security.
That’s why Airkit rigorously maintains the following security and privacy certifications:
A commitment to reliability.
We believe in complete transparency when it comes to uptime. That’s why you can view our track record on our status page.
Our architecture is built for security.
Every brick in our foundation was built with compliance in mind. We want our customers to be free to build beautiful experiences for their customers, knowing security is addressed.
Is Airkit’s data center secure?
Our online infrastructure is built on Amazon Web Services, which maintains an extensive set of certifications including SOC2, ISO 27001, and FEDRAMP that cover the service’s security, confidentiality, availability, and integrity.
More information is available here: https://aws.amazon.com/security/
Does Airkit encrypt data in transit and at rest?
Yes to both.
We utilize TLS 1.2 encryption on communication to our website and APIs, automatic HTTP to HTTPs redirection, and HTTP Strict Transport Security to prevent downgrade attacks. Our default encryption algorithms utilize Perfect Forward Secrecy (PFS) and Authenticated Encryption with Associated Data (AEAD).
All customer data is encrypted at rest using AES256 encryption. Encryption keys are stored in high-security hardware security modules and periodically rotated.
Does Airkit monitor it’s performance?
We collect logs of system events throughout our infrastructure including cloud-level, application level, and data-store level audit trails. Logs are stored in an immutable storage system that prevents accidental or malicious deletion. Administrators have configured alerts for key system activity that may indicate a compromise or misconfiguration.
Does Airkit back up my data?
Customer data is backed up daily using automated snapshots which are stored in authentication-protected storage using pre-defined retention times. System administrators are notified of failed or delayed backups.
Is the Airkit application itself secure?
Our development team utilizes best practices in code development, testing, and deployment. As part of that process we leverage frameworks that provide protections against common web vulnerabilities (e.g. OWASP Top 10). Libraries and dependency code are scanned for known vulnerabilities and tickets automatically opened for engineers to review and upgrade packages.
Does Airkit conduct regular penetration tests?
Our services are tested periodically by professional penetration testing teams. During the assessment, the team seeks to identify vulnerabilities and weaknesses that could enable attackers to compromise our systems. Identified issues are prioritized and remediated by our technical team.
Does Airkit decommission hardware that stores my information?
The secure decomissioning of hardware used to manage and store customer data is managed by our cloud provider which leverages a combination of mark-and-sweep deletion cycles, cryptographic erasure, and physical device destruction in compliance with NIST SP 800-88 Revision 1.
Does Airkit have a company-wide security policy?
We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:
* System Inventory
* Data Classification
* System lockdown procedures
* Data Access
* Incident Response
* Backups and Restoration
Do Airkit employees sign confidentiality agreements?
All employees and contractors are required to sign confidentiality agreements.
Is security a priority during employee on and offboarding?
All employees are on-boarded using a standard process to ensure they receive training and access appropriate to perform their job role. Our off-boarding process is designed to efficiently remove access and accounts when employees leave the company or transition job roles.
Are Airkit employee hardware devices secure?
Our employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password manager, and login restrictions.
How will Airkit authenticate users to our portal?
Customers can authenticate to our service using 2FA. Inside our application, customers can configure roles that further restrict what actions their users can take on their data.
How does Airkit maintain password security?
User passwords must meet minimum length requirements. Brute force password protections are implemented using account throttling – where repeated attempts to log in to an account result in a progressive delay between login attempts. Passwords are stored in encrypted form using salted hashes.
How is cloud access handled?
Cloud access is protected using 2FA for administrative accounts and encrypted VPN access for access to internal systems. All administrative access to cloud systems is logged.
Who has administrative access to our database?
Administrative access to production databases is restricted to a subset of our engineering team. All-access uses unique accounts and administrator activity is logged to our centralized logging system.
Where is Airkit code stored?
Code is stored in a centralized code repository that requires 2FA for authentication. User groups are configured to provide only the access necessary for employees to do their assigned job. Code updates undergo mandatory code review and approval before being released into production.