ATIPICA SECURITY POLICY
Last updated: 5/23/2018
We use Amazon Web Services (AWS) to store and serve all our applications. The AWS cloud infrastructure meets several global security compliance requirements - see their security pages for more information: aws.amazon.com/compliance/
. Access to the AWS management console is restricted to only authorized users in our company. We also regularly monitor server logs to identify unusual usage or unauthorized access attempts.
Data Security in Motion
Most of our services which manage client data use our internally secured network to communicate, which is protected with network control access lists and security groups (firewalls); some of our services also send data over the internet, in all of those cases the services communicate over encrypted connections (SSL).
Data Security and Segregation at Rest
To provide the utmost security and privacy of our client data, we maintain dedicated databases and server instances per client into what we call a “client silo” or firewall. Client data is never shared between clients. In addition to encrypting API traffic from your ATS, Atipica encrypts all internal traffic. All our databases are encrypted and protected using the industry standard AES-256 bit encryption.
We maintain dedicated databases and server instances per client into what we call a “client silo”. When a client contract ends, all computing services within their “client silo” will be stopped/removed from from service, all historically ingested data (including Personal Data) used to create the Atipica Platform will be deleted according to the Atipica "Removal of Customer Data Policy" (provided to clients).
Data security is a top priority for Atipica. All communication through ATS’s API is encrypted using Transport Layer Security 1.2 for HTTPS encryption, which is authenticated by AES-256 bit encryption.
User passwords are never stored in plain text. All passwords are encrypted using bcrypt, a password hashing algorithm.
In the unlikely event of a data loss or integrity issue, we maintain daily snapshots of all databases for up to 7 days. This allows for limited operational downtime.
Atipica is a data processor that is fully compliant with the GDPR. As a data processor, we process and host Personal Data obtained from our clients (“Client Data”) to provide them with the Atipica HR analytics platform. In that context, we only process Personal Data on behalf of and with instructions from our clients, which are data controllers.
Atipica employees maintain strict password protocols for all company-related logins, utilizing authentication/encryption based password management software and 2-factor authentication. Database access/permissions are limited based on an employee’s role. Client data is never permanently stored on employee computers, long-term documents containing client data are stored in company specific and secured on-line vaults. All employee computers are Mac OS FileVault 2 encrypted (AES-128 bit).