Security Assessments and Compliance
Envoyer’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Envoyer utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: https://aws.amazon.com/security
Network and application security
Data Hosting and Storage
Envoyer services and data are hosted in Amazon Web Services (AWS) facilities (eu-west-1) in the EU.
Failover and DR
Envoyer was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
Back Ups and Monitoring
Envoyer uses AWS RDS automated backup solution for datastores that contain customer data. On an application level, we produce audit logs for all activity, ship logs to Logentries for analysis and use S3 for archival purposes. All actions taken on production consoles or in the Envoyer application are logged.
From our instance images to our databases, each component is backed up to secure, access-controlled, and redundant storage. Our platform allows for recovering databases to within seconds of the last known state, restoring system instances from standard templates, and deploying customer applications and data. In addition to standard backup practices, Envoyer’s infrastructure is designed to scale and be fault tolerant by automatically replacing failed instances and reducing the likelihood of needing to restore from backup.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Envoyer is served 100% over https. Envoyer runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Envoyer’s network. We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS to ensure access to cloud services are protected.
All data sent to or from Envoyer is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.
All payments made to Envoyer go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.
If you think you may have found a security vulnerability, please get in touch with our security team at [email protected]