At MyAlice, we take security seriously! We map our security program to industry standards such as ISO 27001 and SOC II. We are constantly looking for ways to not only improve security for our product, but also with how we conduct business on a daily basis.
Security is one of the top priorities for MyAlice because it's fundamental to your experience with the product. Managing our customer data is more than just a responsibility to be met, it’s something our company is truly passionate about. We do more than just follow policies and check boxes, we instill awareness combine enterprise-grade security features with comprehensive audits of our applications, systems, and networks to ensure customer data is protected. All MyAlice employees are trained on security practices during company onboarding and on an annual basis.
MyAlice hosts all its software in Amazon Web Services (AWS) facilities in Singapore. Amazon provides an extensive list of compliance and regulatory assurances, including SOC II, and ISO 27001. See Amazon’s compliance and security documents for more detailed information. MyAlice employees do not have physical access to AWS data centers, servers, network equipment, or storage.
All of MyAlice servers are located within MyAlice's own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. Firewalls screen data coming in and out of computer networks, blocking unauthorized access and stopping traffic from unsafe internet sources. We also utilize intrusion detection systems in our production network and advanced email filtering in our corporate network to identify potential security threats.
Two Factor Authentication: To verify user’s identity, 2FA is enforced over phone and email with the help of their unique passwords and also through randomly-generated and constantly refreshing codes
JWT Token: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It has an expiration period of around 15 minutes, so that any leaked JWTs will cease to be valid fairly quickly
IP Blocking: Commonly used to protect against brute force attacks and to prevent access by a disruptive address, certain IP addresses are blocked.
Web application architecture and implementation follow OWASP guidelines. We regularly scan source code and systems for vulnerabilities and perform necessary patching and updates based on those results.
All connections to MyAlice are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data is encrypted at rest and in transit with AES 256 Encryption. At end-of-life, AWS destroys disks per NIST 800-88 standards. We use industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors.
Backup and Disaster Recovery
In order to curb system failures and keep both planned and unplanned downtimes at bay, High Availability (HA) architecture is employed. Our system design allows for the distribution of the workloads across multiple systems, which helps in optimizing resource use, maximizing output, minimizing response times and avoiding overburden of any system in the process through load balancing. MyAlice keeps continuous encrypted backups of data in multiple regions on AWS Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
Training and Awareness
MyAlice requires all employees and contractors to sign a confidentiality agreement prior to commencement. All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training. All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation.
Incident response plan
In case of a security incident it's best to have a clearly defined plan and responsibilities. Below you will find more details regarding the response plan that MyAlice has in place in the unlikely case of a security breach.
Level 1: Depending on how the incident is reported/discovered we generally have the first level of technical support that is likely to triage/escalate the issue. Normally that role is reserved for whoever is on the level 1 tech support shift at the time.
Level 2: Is a senior engineer or CTO that classifies the impact of the security incident.
Level 3: Is a senior engineer or CTO that classifies the impact of the security incident.
Before escalating the incident to the next level, the person that first finds out about it needs to verify the incident and its initial impact.
Once verified the escalation process should be immediate to level 2 and then level 3 verbally, by phone, email, whatever medium is available.
Once escalated the rank/severity of the incident must be determined. Does it affect all customers? A single company? An individual? What type of data was affected if any? Was it encrypted? If so, how?
Analyze all elements of the incident in order to identify all the causes or where a failure occurred including the software, hardware, people, and internal processes.
Based on the result of the investigation, determine what could be done to prevent this attack and what defensive mechanisms failed and take immediate action to re-mediate the cause and improve the future process. This information should also be public and posted on our public blog.
Vulnerability Disclosure Process
MyAlice considers privacy and security to be core functions of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security or privacy issue that you believe we should know about, please reach out to us at email@example.com