2. Secure Software Development Life Cycle
Afi source code is reviewed internally using guidelines from OpenSAMM and Microsoft SDL frameworks. Our software code is stored in BitBucket source code management system located in the United States. The system tracks source code access and modification activity. The source code management system can be accessed only from devices that are compliant with Afi security policies. Only authorized R&D engineers access the source code and only for the tasks assigned to them.
Afi relies on GCP, and/or AWS and Azure for cloud hosting and storage services. Customer data is stored in an encrypted archive (see paragraph 4) on redundant object storage, and is accessed via Afi application services that manage user access rights and permissions.
We use Transport Layer Security (TLS 1.2) cipher for data in transit. All data to and from our cloud service is encrypted using TLS 1.2. Data at rest is stored in cloud storage protected by Advanced Encryption Standard 256bit (AES256) cipher.
We would like to emphasize, that there is no certification recognized by the US HHS for Health Insurance Portability and Accountability Act (HIPAA) compliance. Complying with HIPAA is based on vendor self-assessment. Following HIPAA rules and provisions is a shared responsibility between Afi and Google. Afi application is compliant with HIPAA and we use GCP infrastructure that declares compliance with HIPAA. Business Associate Agreement (BAA) is available for signature per request.
Afi meets PCI DSS compliance requirements and shares this responsibility with GCP and Stripe. We use these infrastructure providers and they have been assessed by Qualified Security Assessors which validated specific requirements and found that they are compliant with PCI-DSS.
The GDPR requires Afi to protect the privacy and personal data of EU citizens and transactions that occur within EU member states. All Afi products and services are compliant with the GDPR. Major GDPR requirements and Afi features that help to address them include:
Afi relies on Google Security Model that provides top-level security of the cloud to its customers which holds the following compliance certifications: SOC1, SOC2, SOC3, ISO 9001, ISO 27001, MPAA, FISMA, FERPA, CJIS, CSA, DIACAP, FedRAMP, ITAR, FIPS 140-2, G-Cloud.
6. Vulnerability assessments
Afi conducts application vulnerability testing internally on a regular basis. Our engineering team preforms regular security patches and upgrades. We share results of vulnerability assessments with the management and our board of directors.
7. Independent Review
In 2019 Afi plans to complete third party source code and infrastructure review project with Google. Google is an American technology company that specializes in Internet-related services and products and it is our main infrastructure partner.
8. Data Deletion Policy
In order to protects customers from data loss, Afi does not allow customers to delete or modify backed up data directly from Afi application. Customer data can be deleted from our servers only after a direct request addressed to email@example.com by a domain administrator. Data from inactive non-paying customers is erased within 1 month of inactivity period/trial expiration. Send a request to firstname.lastname@example.org if you wish to erase the data sooner.
9. Credentials & Access Control
Afi does not require Google user credentials and we do not store your passwords on our servers. Afi cannot access passwords as we uses OAuth 2.0 to access G Suite data. Our software is designed in a way to make it impossible for Afi employees to access encrypted customer data.
10. Disclosure Policy
We do not and will not provide any customer information to any organizations. Where required to do so by law, we will disclose customer information to law enforcement agencies in the United States and European Union. As of January 2019, we have not received any requests from law enforcement agencies and have not disclosed any customer information to them.
Last updated March 30th, 2019