We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure. We physically separate the database instances from application servers. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well known Certificate Authorities (CAs). All personally identifiable information (PII) is encrypted while in transit as well as at rest using military grade encryption to ensure the security of user IDs and passwords. Intuo application passwords are hashed and even our own staff can’t retrieve them. A lost password must be reset.
The European Union’s General Data Protection Regulation (GDPR) is an unprecedented privacy regulation in terms of its breadth, depth, and impact. The GDPR will take effect on May 25, 2018, and we’re already compliant. In addition to being compliant, we've conducted a thorough Data Protection Impact Assessment (DPIA) of all our external suppliers and vendors. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. Intuo have already undergone the necessary steps for an ISO27001 certification and is an ISO/IEC 27001:2013 certified organisation. Our public ISO27001 certificate can be found here. Our privacy team is well ahead of this deadline to meet and exceed these new requirements.
A few of the major GDPR changes:
Intuo’s products run on world class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Our data centers are located in Frankfurt, Germany and data never leaves Europe. Amazon data centers provide physical security 24/7, state of the art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB and Yelp. Amazon maintains security certifications with:
Customer data is stored in multi-tenant datastores, we do not have individual datastores for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.
Only people who need access, get access. Production system access is limited to key members of the Intuo engineering team and use of passwords are expressly forbidden. We solely use public/private key pairs to authenticate with our servers.
Logging is a critical component to Intuo infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in realtime and over secure channels to a centralized logging service. This also allows our technical support and development teams to view logs without gaining access to the production systems.
We backup and test our systems, just in case. Production data is automatically backed up daily. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention for all systems is seven (7) days. Our production applications are deployed in multiple availability zones and leverage AWS MultiAZ technology which can sustain the loss of an entire data center in a region. In case of termination of the contract with a customer, we delete all customer and personal data within 30 days.