1. Overview

Afi G Suite Backup application usage is governed by Terms of Service and Privacy Policy agreements. Afi works with leading cloud infrastructure providers to ensure the security and reliability of its service, in addition to:

2. Secure Software Development Life Cycle

Afi source code is reviewed internally using guidelines from OpenSAMM and Microsoft SDL frameworks. Our software code is stored in BitBucket source code management system located in the United States. The system tracks source code access and modification activity. The source code management system can be accessed only from devices that are compliant with Afi security policies. Only authorized R&D engineers access the source code and only for the tasks assigned to them.

3. Infrastructure

Afi relies on GCP, and/or AWS and Azure for cloud hosting and storage services. Customer data is stored in an encrypted archive (see paragraph 4) on redundant object storage, and is accessed via Afi application services that manage user access rights and permissions.

4. Encryption

We use Transport Layer Security (TLS 1.2) cipher for data in transit. All data to and from our cloud service is encrypted using TLS 1.2. Data at rest is stored in cloud storage protected by Advanced Encryption Standard 256bit (AES256) cipher.

5. Compliance

HIPAA
We would like to emphasize, that there is no certification recognized by the US HHS for Health Insurance Portability and Accountability Act (HIPAA) compliance. Complying with HIPAA is based on vendor self-assessment. Following HIPAA rules and provisions is a shared responsibility between Afi and Google. Afi application is compliant with HIPAA and we use GCP infrastructure that declares compliance with HIPAA. Business Associate Agreement (BAA) is available for signature per request.
PCI
Afi meets PCI DSS compliance requirements and shares this responsibility with GCP and Stripe. We use these infrastructure providers and they have been assessed by Qualified Security Assessors which validated specific requirements and found that they are compliant with PCI-DSS.
GDPR
The GDPR requires Afi to protect the privacy and personal data of EU citizens and transactions that occur within EU member states. All Afi products and services are compliant with the GDPR. Major GDPR requirements and Afi features that help to address them include:

  1. Storing and processing data within EU. Afi enables you customers to select where their data is stored by specifically setting the pre-defined destinations
  2. Right to erasure. Afi will locate and remove data from the system in a timely manner upon request
  3. Security. All the customer data in transit and at rest is encrypted as described in paragraph 4. Afi follows Secure Software Development Cycle as outlined in paragraph 1
  4. Records of processing activities. Afi audit log provides visibility on all actions performed in the system and enables customers to retrieve these logs when required.

Other
Afi relies on Google Security Model that provides top-level security of the cloud to its customers which holds the following compliance certifications: SOC1, SOC2, SOC3, ISO 9001, ISO 27001, MPAA, FISMA, FERPA, CJIS, CSA, DIACAP, FedRAMP, ITAR, FIPS 140-2, G-Cloud.

6. Vulnerability assessments

Afi conducts application vulnerability testing internally on a regular basis. Our engineering team preforms regular security patches and upgrades. We share results of vulnerability assessments with the management and our board of directors.

7. Independent Review

In 2019 Afi plans to complete third party source code and infrastructure review project with Google. Google is an American technology company that specializes in Internet-related services and products and it is our main infrastructure partner.

8. Data Deletion Policy

In order to protects customers from data loss, Afi does not allow customers to delete or modify backed up data directly from Afi application. Customer data can be deleted from our servers only after a direct request addressed to support@afi.ai by a domain administrator. Data from inactive non-paying customers is erased within 1 month of inactivity period/trial expiration. Send a request to support@afi.ai if you wish to erase the data sooner.

9. Credentials & Access Control

Afi does not require Google user credentials and we do not store your passwords on our servers. Afi cannot access passwords as we uses OAuth 2.0 to access G Suite data. Our software is designed in a way to make it impossible for Afi employees to access encrypted customer data.

10. Disclosure Policy

We do not and will not provide any customer information to any organizations. Where required to do so by law, we will disclose customer information to law enforcement agencies in the United States and European Union. As of January 2019, we have not received any requests from law enforcement agencies and have not disclosed any customer information to them.

Last updated March 30th, 2019