AWS CLOUD DATA CENTERS
All Athennian data and applications, including customer data, are stored on cloud services operated by Amazon Web Services (AWS) - the market leader in cloud services. AWS operates the global cloud infrastructure that you use to provision a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operationalsoftware (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards. As an application operated on AWS, you can be assured that Athennian is built on top of some of the most secure computing infrastructure in the world.
PHYSICAL STANDARDS AND ENVIRONMENTAL SECURITY
AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in non-descript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizingvideo surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times toaccess data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When anemployee no longer has a business need for these privileges, his or her accessis immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employeesis logged and audited routinely.tions:
For more information, please download the AWS Security Whitepaper.
AWS has the following security and operations ceritifications (a full list of certifications is available here):
Athennian employs industry standard application security systems and practices. In compliance with our internal policies, detailed descriptions of our application security systems and practices are restricted. However, Athennian utilizes the following systems and practices.
Regular Security Penetration Tests
Annually, Athennian consults with leading cybersecurity experts to test our platform with most current malicious network and application penetration techniques to ensure that Athennian's platform is secure from both internal and external threats.
In-transit and At-Rest Data Encryption
Athennian applies top-level encryption to ensure all Athennian data is stored and transmitted in the most secure manner possible.
Secure Development Practices
Athennian employs rigorous internal standards for code quality with mandatory daily code reviews before our code is deployed into a production environment. Further, all functionality and code is reviewed by our internal security architects to ensure the Athennian platform remains secure as functionality is continually added.
Standardized Employee Security Protocols
Athennian employs rigorous office access policies, multi-factor authentication for internal tools, company-wide device policies, criminal background checks for employees and contractors, and regular and ad-hoc security training.
By employing the right level of processes and procedures in tandem with our overall security strategy, we provide a robust framework for continuous risk management and help the security of our operations. Our processes and controls are also designed to support many compliance frameworks and follow industry-standard operations practices.
Athennian has adopted the highest standard of organizational controls relevant to cloud SaaS companies, in line with the Trust Services Criteria established by the American Institute of Certified Public Accountants (AICPA). System and Organization Controls (SOC) Reports are independent third-party examination reports that demonstrate how Athennian achieves non-financial compliance controls and objectives in four key areas related to its software: Security, Availability, Confidentiality, and Privacy. The purpose of these reports is to help you and your auditors understand the Athennian controls established to support operations and compliance.
SOC2 Type I Report: an attestation of controls at a service organization at a specific point in time
SOC2 Type II Report: an attestation of controls at a service organization over a minimum six-month period
Platform Monitoring and Logging
Our operations team uses a set of monitoring alert criteria to define the critical security and availability standards for our platforms' production environments. Operations personnel use third-party monitoring tools to closely monitor any spikes in activity above predefined thresholds. We also deploy Intrusion Detection System (IDS) sensors at critical points in our infrastructure to detect and alert our security team to unauthorized attempts to access our platform. Alerts are triggered for anomalies, and operations uses established procedures to address them and any potential security threats they may represent.
We use access control measures so that the fewest number of operators have access to restricted data. Role-based access is defined and deployed to restrict privileged access to information resources based on the concept of least privilege. Authorization requires approval by the management directly responsible for the confidentiality, integrity, and availability of impacted resources.
As much as possible, we automate processes and procedures to help create efficiencies, maintain consistency and repeatability, and reduce human error. We use automation in areas including environment configuration and application patch management.
Change Management Policies
We enforce a comprehensive, change management process to help ensure that changes to the network or production environment are documented, tracked, tested, authorized, and approved prior to deployment to production. We monitor the states of the hardware, operating system, and configurations, and we log and execute changes in a controlled way. We also evaluate and check logs for potential unauthorized access and misconfigurations.
Automatic Backups and Redundant Servers
Athennian employs the latest in automatic backup technology that securely stores versioned data within AWS S3 Buckets. Redundant server environments linked together with AWS load balancing technology provide bulletproof fail-over should an environment require remediation. Our backup tech is further supported up by a defined and tested Disaster Recovery Policy and procedure that is reviewed regularly to ensure optimal performance.