Version 1.1 - Effective January 1st, 2022
First things first
We are committed to protecting your information. Security is embedded in our organization, Conveyor. We have implemented robust and extensive security policies, controls and processes to protect your data.
This security policy applies to the information we collect, receive, or use on or in connection with websites owned or controlled by Conveyor, Inc., a Delaware corporation ("Conveyor" or "we" or "our" or "us"), including www.conveyor.com, applications, products, features, services, marketing, email or other site-related electronic communications, whether online or offline, or any portion thereof (collectively, the "Service").
This policy outlines: 1) Conveyor's security practices and resources, and 2) your security obligations.
Obligations under this policy (both ours and yours) are incorporated by reference into the Conveyor Terms of Service.
Without limiting any provision of the Conveyor Terms of Service, we will implement reasonable and appropriate measures designed to help you secure Customer Content against accidental or unlawful loss, access or disclosure.
You are responsible for properly configuring and using the Services and taking your own steps to maintain appropriate security, protection and backup of Customer Content.
Reporting Security Vulnerabilities
If you discover a potential security vulnerability, please see our policy on Responsible Disclosure. We strongly prefer that you notify us in private. Publicly disclosing a security vulnerability without informing us first puts the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue.
Conveyor’s policies, procedures and processes are designed based on the leading security framework such as the AICPA SOC 2 Trust Services Criteria.
We also run a Responsible Disclosure program for security vulnerabilities.
Infrastructure & Data Center Security
Conveyor runs on Aptible Deploy, a platform-as-a-service which is SOC 2 Type 2 certified and HITRUST validated. Aptible Deploy runs in AWS computing environments that are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Additionally AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS against 20+ standards, including the HIPAA, CESG (UK), and Singapore Multi-tier Cloud Security (MTCS) standards.
AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS data center environmental controls include:
- Fire detection and suppression systems
- Redundant power systems, backed by Uninterruptible Power Supply units and generators
- Climate and temperature controls
- Active system monitoring
Secure Software Development
- Conveyor has implemented policies, procedures and processes to ensure that systems and application development is done in a secure manner. An end-to-end SDLC framework is in-place where security and privacy practices are embedded into the design and development of Conveyor’s products.
- Data transfers between users and the Conveyor platform are secured using TLS 1.2 encryption.
- Data within the Conveyor production databases is encrypted at rest using AES-256 encryption.
Risk and Vulnerability Management
- Conveyor completes a risk assessment at least annually to gain an accurate and thorough understanding of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of our products and services.
- Conveyor engages a trusted third party to complete an external penetration test on an annual basis. Identified vulnerabilities are triaged and addressed based on business impact. A summary of the most recent penetration test is available to customers and prospects under NDA in your Conveyor Room.
- Conveyor performs internal vulnerability scans monthly to identify, prioritize, and remediate potential system vulnerabilities.
- Conveyor has implemented vendor risk management policies and procedures to ensure protection of assets and data that are accessible by vendors, and to establish standards for information security and service delivery from vendors.
- Conveyor maintains policies, procedures and processes to control access to Conveyor’s systems.
- Conveyor workforce members are granted least-privilege access to customer environments only when a specific business need arises.
- Access to the production environment requires strong multi-factor authentication (Time Based One Time Passwords or U2F)
Human Resources Security
- Workforce members undergo criminal background screening and professional reference checks before hire.
- All workforce members receive security and privacy awareness training when they join the company and annually thereafter.
Conveyor has policies and processes in place to ensure that we can continue to provide critical function in the case of disaster. Our infrastructure runs on systems that are fault tolerant of failures of individual servers. Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to increase availability.
Conveyor automatically performs nightly backups of production databases.
In the event of a potential security incident, Conveyor will notify any affected customer. Conveyor has incident management policies in place where it defines the handling of such events. If you believe you have identified an incident with the security or availability of the Conveyor platform please contact firstname.lastname@example.org as soon as possible.