You own your data. All data you upload as well as any data that is generated by our tools is owned by you. We don't claim any ownership of any data connected to you.
AES-256 encryption keeps your data safe at rest. Whenever data is transferred, TLS v1.2 is used to secure your data in transit.
None of the source code or data from your database leaves your machine. The source code analysis and the database analysis happen in your own environment. Only the generated data is uploaded.
We never store secrets in plain text. All secrets are encrypted and stored following industry best practices for management of cryptographic secrets.
We monitor all technologies used in our products and development cycle for updates and regularly deploy security patches and updated versions.
All changes to production systems are made using state of the art software for infrastructure and application deployments, following the industry best practices related to infrastructure as code.
We adamantly follow the idea of least privilege access across all of our production systems. This includes minimal fine grained access control at the authorization layer and fully minimized public facing network exposure.
We regularly conduct vulnerability scans and penetration tests both during development and in production to identify potential security issues.
We can support a custom set timeout session at your request.
Yes, we support role based access, based on three roles, a ‘read’ only role, a ‘write’ role, and an ‘admin’ role. The ‘admin’ role has full access to any API endpoint and UI view. The ‘write’ role is limited to only some API endpoints and views, but has access to the majority of the application. The ‘read’ role, as limited access to certain API endpoints and UI views, and can only ever lookup or access existing data, no creating, modifying or deleting data.
The API requires a JSON Web Token (JWT, OAuth 2.0) to gain authorized access to the API.
All data is owned by your company.
You can access the API at any time and extract all data with out any requirement of approval or action from us.
No, the complete analysis can be performed without any integration with source code or artifact repositories.
No, your source code stays inside your environment at all times.
All data is stored encrypted at rest using the industry standard AES-256 encryption algorithm.
We use TLS v1.2 for all communication.
Data that is secret and not meant to be shared with others we consider sensitive and mask that data within all of our logging.
All data can be retrieved without any permission or authorization from us. We will support you in doing so and confirm you have done so prior to removing any data. After termination of service we destroy all data and destroy all backups within 14 days.
Yes, we support and use audit logging on all application access and related infrastructure. Our audit logs follow industry standards and contain minimal traceability information.
We log all API requests.
Yes, all logs are stored encrypted in an isolated, read-only environment to minimize log access and ensure logs are immutable. We use infrastructure as code to have full audit capability in terms of log access and changes made to the log storage environment.
We provide a service level agreement of 99.5% of guaranteed availability during each annual year of service provided.
Yes there is. We use automated service monitoring, therefore most issues can be identified without any reporting required. The escalation process for any SLAs that are not met begins with emails to email@example.com, is followed by using Slack for real time communication and last is via telephone to +1 877 895 7179. Ask for ‘incident escalation’ to be connected to our Tier 3 support staff.
If the SLA is not met we will provide a credit for the incurred outage. The credit amount given is the annual pricing amount of software agreement, divided by 525 600 multiplied by the number of minutes beyond the allowed agreement stated with the SLA. For example if the annual agreement is of the amount of $200 000 and the solution is not available for 72 hours over the year. A credit of ( (72h - 44h) * 60min/h / 525 600 minutes/year * $200 000) $639.26 for the year would be made. A
We give 2 week notice for any scheduled maintenance where downtime is required. We conduct any maintenance on non business hours or days. We also rarely require to have to schedule downtime for maintenance, with our current average being roughly once every 1.5 years.
We follow industry standard practices with regard to cryptographic asset management. All systems used for storage of cryptographic assets are in compliance with or in the process of being validated under the FIPS 140-2 standard.
We practice and follow the industry best practices of continuous delivery of software.
All changes to any production systems go through our peer-reviewed change and release process, using automation tooling and audited systems to introduce all changes. It is this rigorous release process that allows us to both respond quickly to customer feature demands, while ensuring minimal service interruptions globally.
Our accounts are secured using multi-factor-authentication mechanisms. Credentials are rotated on a regular basis.