This document declares the WAIR Information Security Management Program.
Security at WAIR
Cloud Security Architecture
WAIR hosts its software on AWS Cloud Services, which means that as a WAIR customer you’ll inherit the robust standards of cloud security maintained by AWS, which WAIR builds on top of for its own security best practices. WAIR also uses industry best practices for the development and testing of the WAIR application, ensuring that code quality meets our standards before becoming part of a WAIR release.
|
Cloud Infrastructure |
|
|
AWS facilities |
The WAIR application is managed on AWS facilities which comply with over 50 data security certifications, regulations, and frameworks. Physical security is managed by AWS, with facilities monitored by video surveillance and intrusion detection systems. |
|
Physical separation of data |
The WAIR application is hosted in a single-tenant environment physically separating the instances of WAIR customers from each other. The WAIR application is hosted in a single tenant AWS Availability Zone (AZ) environment by default. |
|
Data Security Architecture |
WAIR follows AWS best practices for security architecture. Architecture is designed to minimize attack surface and automate configuration management to ensure consistency. |
|
Redundancy |
WAIR employs a Cloud-based distributed backup framework for all customer data. |
|
Availability and durability |
The WAIR application is hosted in a variety of different AWS data centers. |
|
Monitoring & Authentication |
|
|
Network and application vulnerability scanning |
WAIR’s front-end application and back-end infrastructure are scanned for known security vulnerabilities at least monthly. |
|
Centralized logging |
Logs across the WAIR production and corporate environments are collected and stored centrally for monitoring and alerting on possible security events. |
|
Reputation monitoring/threat intelligence |
Collected logs and network activity are checked against commercial threat intelligence feeds for potential risks. |
|
Anomaly detection |
Anomalous activity, like unexpected authentication activity, triggers alarms. |
|
Data Security Encryption |
|
|
AES encryption |
Locally-stored sensitive application data, including database connection configurations and cached query data, is encrypted and secured using AES encryption. |
|
Secure credential storage & encryption |
Native usernames and passwords are secured in Auth0 using best-in-class security measures. |
|
TLS encryption |
Data in transit is encrypted and secured from the user's browser to the application via TLS. |
Product Security
|
Overview |
|
|
Code development |
Code development is done through a documented SDLC process that includes guidance on how code is tested, reviewed, and promoted to production. |
|
Peer review and unit testing of code |
Code is peer reviewed before being committed to the master code branch of the WAIR application. Functional and unit tests are performed using automated tools. |
|
Routine developer training |
Developers are regularly trained on secure coding practices. |
|
Code quality tests |
WAIR utilizes automated tests specifically targeting injection flaws, input validation, and proper CSRF token usage. |
|
Two-factor authentication |
Ability to use two-factor authentication is currently in development and will be available in the upcoming months. |
Corporate Security
WAIR has robust security protocols that are meant to secure WAIR office spaces and materials that contain sensitive information. WAIR also values properly vetting and training staff to ensure that there is an organization-wide appreciation for data security.
For more information about how we work with your data, see WAIR's Privacy Policy.
|
Personnel & Third Parties |
|
|
Security organization |
Led by the Chief Technology Officer (CTO), WAIR has established an information security function responsible for security and data compliance across the organization. |
|
Policies and procedures |
WAIR has implemented various security policies that are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities. |
|
Confidentiality agreements |
New contractors and employees are required to sign confidentiality agreements. |
|
Security awareness education |
WAIR’s new hires complete security training as part of their initial training with the company. Employees receive routine security awareness training and confirm adherence to Company security policies. WAIR employees are reminded of security best practices through informal and formal communications. |
|
Vendor management |
WAIR maintains a vendor management program to ensure that third parties comply with an expected level of security controls. |
|
Risk management |
WAIR maintains a robust security risk management program. Our CTO leads a quarterly meeting to address security initiatives with respect to risk management. |
|
Incident Response |
|
|
On-call |
WAIR’s Security and Operations team is available to respond promptly to security alerts and events. |
|
Policies and procedures |
WAIR maintains a documented incident response plan. |
|
Incident response training |
Employees are trained on security incident response processes, including communication channels and escalation paths. |
|
WAIR Hardware |
|
|
Laptop protection |
Laptops have encrypted hard drives and are protected with sign-on password. Additionally, an AV solution is installed on laptops to protect against malware and monitor for possible security events. |
Data Security, Privacy & Compliance
One of the priorities of WAIR’s security practices is to ensure that use of your data is transparent, safe, and respectful. To that end, WAIR performs assessments and ensures that risks are appropriately being mitigated and that controls are designed and operating correctly.
Please consult WAIR’s Privacy Policy for more information.