ATIPICA SECURITY POLICY
Last updated: 8/27/2019
General Data Security
We use Amazon Web Services (AWS) to store and serve all our applications, no data is stored on-premise. The AWS cloud infrastructure meets several global security compliance requirements - see their compliance and security pages for more information: https://aws.amazon.com/compliance
. Access to the AWS management console is restricted to only authorized users in our company. We also regularly monitor server logs to identify unusual usage or unauthorized access attempts.
Data Security in Motion
Most of our services which manage client data use our internally secured network to communicate, which is protected with network control access lists and security groups (firewalls); some of our services also send data over the internet, in all of those cases the services communicate over encrypted connections (SSL).
Data Security and Segregation at Rest
To provide the utmost security and privacy of our client data, we maintain dedicated databases and server instances per client into what we call a “client silo”. Client data is never shared between clients. In addition to encrypting API traffic from your ATS, Atipica encrypts all internal traffic. All our databases are encrypted and protected using the industry standard AES-256 bit encryption.
We maintain dedicated databases and server instances per client into what we call a “client silo”. When a client decides to end a contract with us, all computing services within their “client silo” will be stopped/removed from service, all ingested data (including Personal Data) used to create the Atipica Platform will be removed according to the Atipica "Removal of Customer Data Policy" (provided to clients).
Data security is a top priority for Atipica. All communication through ATS’s API is encrypted using Transport Layer Security 1.2 for HTTPS encryption, which is authenticated by AES-256 bit encryption.
User passwords are never stored in plain text. All passwords are encrypted using bcrypt, a password hashing algorithm.
Disaster Recovery and Incident Response
In the unlikely event of a data loss or integrity issue, we maintain periodic snapshots of all databases. This allows for limited operational downtime. If an event like this occurs, we will communicate with you and let you know when operations are resumed as expected.
We conduct penetration tests and audits from accredited third-party vendors. We also leverage automated security assessment tools such as AWS Inspector and GuardDuty to monitor and manage vulnerabilities.
Atipica is a data processor that is fully compliant with the GDPR. As a data processor, we process and host Personal Data obtained from our clients (“Client Data”) to provide them with the Atipica HR analytics platform. In that context, we only process Personal Data on behalf of and with instructions from our clients, which are data controllers.
Atipica employees maintain strict password protocols for all company-related logins, utilizing authentication/encryption based password management software and 2-factor authentication. Database access/permissions are limited based on an employee’s role and as needed for troubleshooting or support for customers. Client data is never permanently stored on employee computers, long-term documents containing client data are stored in company specific and secured on-line vaults. All employee computers are Mac OS FileVault 2 encrypted (AES-128 bit), and come with anti-virus software. All employees also go through security training during onboarding.