Version 1.0 - Effective July 1st, 2021
First things first
We are committed to protecting your information. Security is embedded in our organization, Conveyor. We have implemented robust and extensive security policies, controls and processes to protect your data.
This security policy applies to the information we collect, receive, or use on or in connection with websites owned or controlled by Conveyor, Inc., a Delaware corporation ("Conveyor" or "we" or "our" or "us"), including www.conveyor.com, applications, products, features, services, marketing, email or other site-related electronic communications, whether online or offline, or any portion thereof (collectively, the "Service").
This policy outlines: 1) Conveyor's security practices and resources, and 2) your security obligations.
Obligations under this policy (both ours and yours) are incorporated by reference into the Conveyor Terms of Service.
Without limiting any provision of the Conveyor Terms of Service, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access or disclosure.
You are responsible for properly configuring and using the Services and taking your own steps to maintain appropriate security, protection and backup of Your Content.
Reporting Security Vulnerabilities
If you discover a potential security vulnerability, please see our policy on Responsible Disclosure. We strongly prefer that you notify us in private. Publicly disclosing a security vulnerability without informing us first puts the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Conveyor’s policies, procedures and processes are designed based on the leading security framework such as the AICPA SOC 2 Trust Services Criteria.
We also run a responsible disclosure program for security vulnerabilities.
Infrastructure & Data Center Security
Conveyor runs on Aptible Deploy, a platform-as-a-service which is SOC 2 Type 2 certified and HITRUST validated. Aptible Deploy runs in AWS computing environments that are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Additionally AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS against 20+ standards, including the HIPAA, CESG (UK), and Singapore Multi-tier Cloud Security (MTCS) standards.
AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS data center environmental controls include:
- Fire detection and suppression systems
- Redundant power systems, backed by Uninterruptible Power Supply units and generators
- Climate and temperature controls
- Active system monitoring
Secure Software Development
Conveyor has implemented policies, procedures and processes to ensure that systems and application development is done in a secure manner. An end-to-end SDLC framework is in-place where security and privacy practices are embedded into the design and development of Conveyor’s products.
Conveyor has policies and processes in place to ensure that we can continue to provide critical function in the case of disaster. Our infrastructure runs on systems that are fault tolerant of failures of individual servers. Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability.
Conveyor automatically performs backup on certain types of data:
- Customer metadata is stored in the Conveyor APIs, backed by the Amazon Relational Database Service. This metadata includes customer account data (passwords, permissions, SSH keys). Backups are taken nightly and retained for one week.
- We periodically test our backup and restoration procedure to ensure our ability for recovery from major disasters.
Conveyor maintains policies, procedures and processes to control access to Conveyor’s systems. Conveyor workforce members are granted least-privilege access to customer environments only when a specific business need arises. Workforce members undergo criminal background screening before hire.
In the event of a potential security incident, Conveyor will notify any affected customer. Conveyor has incident management policies in place where it defines the handling of such events.