Security and Customer Data Protection

The security, integrity, and availability of your data are our top priorities. We know how vital it is to your business success. To ensure you never have to worry, we use a multi-layered approach to protect and monitor all your information.

Reliability & availability

It is our goal to ensure minimal service impacts and downtime. Every component in the application infrastructure is redundant. There are at least two of each component that processes the flow and storage of data. All network devices, including firewalls, load balancers, and switches are fully redundant and highly-available. Customers can see our system status in real-time on our status page, where we communicate any incidents and planned maintenance.

Backups

Backups are taken frequently, encrypted in transit and at rest, and are tested regularly. Backups are kept "off-site" in Amazon S3 which stores files on multiple physical devices in multiple facilities offering 99.999999999% durability and 99.99% availability.

Isolation

Our highly distributed backend platform employs isolation design patterns to mitigate risks across components. Failures of one component rarely affect other components.

DevOps best practices

Our development team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. Any 24/7/365 on-call team member is empowered to rebuild systems and topologies with full consistency. In the event of system loss, our development team quickly recreates systems by executing the infrastructure code.

Monitoring & on-call support

We monitor continuously from around the world, displaying, alerting, and reporting upon our entire technical environments in real-time. Supporting customers is a collaboration between our customer-facing support team, and our engineering team. Specialized engineers are on call 24/7/365. When problems occur our teams are promptly notified, automatically provided with context, and are enabled with tools to help collaborate efficiently with peers. We employ a triage pager system to ensure alerts quickly and reliably reach engineers.

Data center

Oktopost is hosted by Amazon Web Services (AWS). AWS maintains the world-leading hosting facilities which are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.

Data location

Customer data is hosted in the United States, in AWS’s us-east-1. Oktopost relies on the SCC to transfer data between the EU and US, which are included in our customer agreements, to ensure GDPR compliance.

Environmental Security Controls

AWS data centers maintain Redundant HVAC (Heating Ventilation Air Conditioning) units which provide consistent temperature and humidity within the raised floor area, Sensors to detect environmental hazards, including smoke detectors and floor water detectors, Raised flooring to protect hardware and communications equipment from water damage, Fire detection and suppression systems (dry-pipe, pre-action water-based), Redundant (N+1) UPS power subsystem with instantaneous failover. There are no product dependencies on Oktopost corporate offices or other facilities we manage.

IT security

Additional security is applied to information technology rooms and systems including forced open door alarms, thread and electronic intrusion detection systems, multi-factor authentication, and media destruction per NIST 800-88.

Physical security

24x7 onsite protection against unauthorized entry, Biometric scanning for controlled data center access, Security camera monitoring, Multi-factor authentication is required for all visitors. Continuous monitoring for unauthorized access is done through video surveillance, intrusion detection, and access log monitoring systems.

Customer Data Protection

Account Separation

Oktopost is a multi-tenant Software-as-a-Service (SaaS) product hosted on a virtual private cloud (VPC). Customer data is hosted on the same physical environment but is logically separated to ensure secure access.

Secure Access

Oktopost can be accessed across the Internet from secure and encrypted connections (TLS 1.2) using high-grade 2048 bit certificates. Individual user sessions are protected by unique session tokens and re-verified on each transaction.

Encryption at rest & in transit

All communications over public networks with Oktopost applications and APIs is conducted over TLS/HTTPS. All data is stored encrypted at rest, including for backups. Login credentials and access tokens are encrypted at rest.

Infrastructure & network security

Oktopost has a 24/7/365 monitoring and alerting system deployed to ensure no operational or security events are missed. In addition, Host-based Intrusion Detection is deployed on all production systems.

Network controls

Our private network is segmented into multiple security zones. These bring increasing levels of control, in proximity to customer data.

Incident management & response

Oktopost’s incident response planning and procedures are based on NIST standards. All incident reports are promptly investigated, reported and remediated as necessary. The response plan and procedures define all the steps to ensure a consistent process.

Scanning

Systems and applications are scanned regularly for common vulnerabilities.

System administration

Best practices are utilized, such as least privilege, central configuration management, and stringent host and network firewall policies. Servers are patched automatically on a regular schedule, with high-priority patches applied manually out-of-cycle.

Application security

Our developers are given annual training on secure coding. All application code is written by Oktopost employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.

Third-party penetration testing

Oktopost conducts penetration tests on a regular basis. Reports are available upon request by customers under NDA.

Security Reviews

Oktopost conducts Security reviews and threat assessments are based on Open Web Application Security Project (OWASP).

DDoS mitigation

Distributed Denial of Service mitigation is provided via our hosting platform. We employ both a web application firewall (WAF) in addition to AWS Shield.

Secure credential storage

Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.

Brute-force protection

In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections.

Email signing

Oktopost implements Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Oktopost, helping to prevent spoofing and ensure authenticity.

Employees & internal IT

In addition to developers receiving secure coding training, all employees participate in annual general security and data privacy training. Phishing drills are routinely run, and measured against industry benchmarks.

Information security policies & standards

Oktopost has a comprehensive set of policies and standards covering all aspects of security and privacy. All Employees must affirm their responsibilities in protecting customer data as part of their condition of employment.

Offices

Oktopost offices are secured by keycard access. Office networks are segmented, centrally monitored, and protected by firewalls and Intrusion Prevention devices. Our products have no dependencies on our company’s offices or other facilities we manage.

Endpoints

Employee workstations are secured with hard drive encryption, Antivirus and advanced malware detection with central management and control.

Background checks

Employees with access to customer data undergo a criminal history (where allowable by law) and background check prior to employment.

Business continuity

Like the hosting of our products, while Oktopost maintains physical offices around the world, the continued operation of our business is not dependent on these offices. Our products, customer service, and overall business operations are enabled to carry on uninterrupted by physical incidents or issues at our offices. Our team is equipped with Cloud-based tools and remote access & collaboration solutions, and makes use of these tools daily.

Product security features

Every company has unique workflows and requirements when it comes IT and information security. We give you the controls you need to adhere to your security protocols and guidelines.

Approval workflows

Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.

Single sign-on (SSO)

Oktopost offers SAML 2.0 Single sign-on (SSO) for organizations that leverage this authentication service to give employees one set of login credentials to access multiple applications.

Access permissions and Team Segmentation

Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users and groups on their account.

Crisis management

We hope you don’t need to, but in times of crisis, your team has access to one button that temporarily disables any automated scheduled and queued messages from being sent by the platform for both corporate and advocacy.

Session Control

Customers can control the session security settings for people using their instance.

Password Policy

Oktopost allows you to improve your account security with password protection. You can set password history, length, and complexity requirements along with other values. In addition, you can specify what to do if a user forgets their password.

Compliance & certifications

We understand how important security, privacy and data protection are to customers. Which is why we hold certification to demonstrate our compliance.

ISO 27001

Oktopost is ISO/IEC 27001 certified by the Standards Institution of Israel (SII), and by the International Certification Network (IQNET).

EU-US & Swiss-US privacy shield

Oktopost holds a Privacy Shield under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States.

CSA STAR Level 1

Oktopost is a member of the Cloud Security Alliance (CSA) - the world's leading independent organization for defining best practices for cloud service providers. In the spirit of transparency, Oktopost provides answers to common questions customers may have of their cloud provider here.

GDPR

Oktopost is GDPR compliant as both a data controller and data processor of personal data under the General Data Protection Regulation.