ada.support - Security

Ada — Security

Ada.support Spined HTML

Ada — Security Product CustomersWell-nighSchedule a Demo Product CustomersWell-nighBlog Careers Terms of Service Schedule a Demo © 2018 Ada Support Inc. Security Thank you for trusting Ada with your customers’ personal data. We take this responsibility very seriously and make every effort to be transparent and shielding when handling this data on your behalf. Ada uses industry standard technologies and services to secure your data from unauthorized access, disclosure, inappropriate use, and loss of access. We ensure that the security policies of all our subprocessors are documented and up-to-date with industry compliance standards where required (PCI, GDPR, etc). Security at Ada is overseen by our Data Protection Officer and carried out by our unshortened team. Vulnerability Disclosure If you would like to report a vulnerability, please contact security@ada.support with a proof of concept, list of tools used, and the output of the tools. If a security disclosure is received, we will work quickly to reproduce each vulnerability to verify its status surpassing taking the steps needed to remedy. Compliance and Certification PCI DSS Ada’s payment and vellum information in the Ada Dashboard is handled by Stripe, which has been audited by an self-sustaining PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider. Ada has been certified as a PCI Level 1 Merchant by an independant PCI Qualified Security Assessor. Ada will provide a reprinting of an Attestation of Compliance (AOC) upon request to Enterprise customers. GDPR Ada is compliant with the GDPR. If you have customers who reside in the European Union and use Ada then we recommend that you sign a Data ProcessingTry-on(DPA) with Ada. This document is a contractual try-on that recognizes Ada as stuff GDPR compliant and makes your organization GDPR-compliant when it comes to using Ada as a sub-processor. We provide our DPA as a self-serve document here. In an effort to provide the weightier security for all our customers when it comes to personal information, Ada treats all data as if it is unseat by GDPR regulation. Any person (including EU residents) wishing to submit a personal data request to Ada may do so by sending an email to privacy@ada.support explaining their data request. Infrastructure and Network Security Servers Ada infrastructure is hosted on Amazon Web Services (AWS). The AWS data centers are equipped with multiple levels of physical wangle barriers, that include: Alarms Outer Perimeter Fencing that is crash-rated for vehicles ElectronicWangleCards Video Surveillance Internal Trip-Lights For increasingly information on AWS Security features, you can refer to this whitepaper. Ada employees do not have physical wangle to AWS data centers, servers, network equipment, or storage. The location of the AWS servers where we run our infrastructure depends on where your bot is deployed Subdomain Location <bot>.ada.support N. Virginia, U.S.A <bot>.ca.ada.support Montreal, Canada We are not worldly-wise to provide the word-for-word physical write of the data centre as Amazon has historically been quite reticent in publishing location information of their facilities for security reasons. We currently run Ubuntu 18.04 on all our servers and use a combination of streamlined and transmission inspection to determine if new vulnerabilities are introduced in the software packages on our systems. We use AWS Inspector on a weekly scanning routine to automatically zestful to new security vulnerabilities. Our Infrastructure team ingests these alerts and prioritizes remediation equal to our internal Security Vulnerability Identification documentation. LogicalWangleControl Ada has full tenancy over all its infrastructure on AWS, and only authorized Infrastructure Team members at Ada have wangle to configure infrastructure when needed in order to add new functionality, or respond to incidents. All wangle required for tenancy of infrastructure has mandated two-factor (2FA) authentication. The levels of passport for infrastructure components is mandated by the principle of least privilege. Penetration Testing Ada undergoes grey box penetration testing conducted by an independant third-party organ on an yearly basis. For grey box penetration testing, Ada will provide the organ with an overview of using tracery and information well-nigh system endpoints. Information well-nigh any security vulnerabilities successfully venal through penetration testing is used to set mitigation and remediation priorities. Third-Party Audit Amazon Web Services undergoes third-party self-sustaining audits and can provide verification of compliance controls for its infrastructure. This includes, but is not limited to, ISO 270001, SOC 2, and PCI. Intrusion Detection It’s important to know when suspicious worriedness is occurring on Ada's infrastructure. We employ Intrusion Detection and Prevention systems (IDS/IPS) on each host under our control. This notifies us on worldwide zestful channels whenever suspicious worriedness may occur. Our infrastructure team will trammels each alert, investigate the activity, and then respond accordingly. Business Continuity and Disaster Recovery High Availability Every part of the Ada service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the specimen of failure. All our deploys are zero-downtime deploys using Kubernetes, and we implement gradual rollout and rollback of services in the specimen of deployment errors. Business Continuity Ada keeps continuous backups of our production databases using the MongoDB Atlas Fully Managed Backup Service. These backups are typically just a few seconds overdue the operational system¹, permitting us to restore hands to any time in the last 24 hours in the specimen of data self-indulgence or loss. Disaster Recovery Ada stores all infrastructure as lawmaking and as such is worldly-wise to bring up well-constructed copies of production and staging environments quickly (currently < 12 hours and unchangingly improving!). In the event of a well-constructed region-wide outage, the Ada Infrastructure Team will bring up a indistinguishable environment in a variegated AWS region. Data Flow Data into System Ada provides an embeddable web window for use on our clients’ websites for users to interact with a client's personal chatbot. This yack window will send data when to Ada's APIs over TLS 1.2 or greater. The yack window resources use a subresource integrity (SRI) trammels to ensure that the files fetched from our CDN are cryptographically verified to prevent Man-In-The-Middle attacks. Data through System Data is sent from end-user yack platforms to the Ada backend via TLS 1.2. All data is AES-256 encrypted at rest. Ada's latest SSL Labs Report can be found here. Data out of System Ada maintains intelligent network firewall rules at the infrastructure level that limit the surface for data extraction. We scrutinize our preferred partners and integrations to ensure that they comply with necessary security regulations (GDPR, PCI, etc), surpassing transferring data for processing. Data Security and Privacy Data Encryption All data in Ada servers is automatically encrypted at rest using AWS EBS Encryption using Ada’s master encryption key stored in AWS Key Management Service. All volumes are encrypted in AWS using the industry-standard AES-256 algorithm. Ada only overly sends data over TLS 1.2 or greater, and never downgrades connections to insecure early TLS methods like SSLv3 or TLS 1.0. Data Removal Data may be retained without termination of service equal to specification within our main consumer contract. If data is kept without termination of service for machine learning training purposes Ada will scrub all personally identifiable information (PII) from consumer data. This includes, but is not limited to, usernames, emails, phone numbers, credit cards, IPs. PII Scrubbing Ada currently supports redaction of personal information. If you would like this enabled for your bot, please contact your consumer success representative.UsingSecurity Two-FactorHallmarkIn wing to password login, two-factor hallmark (2FA) provides an widow layer of security to Ada via a time-based one-time password algorithm (TOTP). We encourage 2FA as an important step towards securing data wangle from intruders. Ada supports 2FA for all user accounts. 2FA can be enabled for a user in the Profile section of the Ada dashboard. Audit Controls In the settings page, we include anWorriednesssection where dashboard Owners and Administrators can view the editing history of Agents. This is listed chronologically so you'll have insight into the organization's most recent worriedness within the Ada dashboard. SecureUsingDevelopment Ada practices continuous delivery, which ways all lawmaking changes are committed, tested, shipped, and iterated on in rapid sequence. A continuous wordage methodology, complemented by pull request reviews, continuous integration (CI), streamlined security scanning, and streamlined error tracking, significantly decreases the likelihood of a security issue and improves the midpoint response time to security vulnerabilities. Internally, Ada enforces at least one authorized reviewer for all lawmaking changes, and deployments to our production environment are gated under condition that all lawmaking is reviewed. Corporate Security Risk Management Ada uses the NIST CyberSecurity Framework (CSF) to guide and manage our cybersecurity-related risks. The NIST CSF is a policy framework that was ripened by the U.S National Institute of Standards and Technology to help private sector organizations asses and modernize their worthiness to prevent, detect, and respond to cyber attacks. Ada enforces at least one authorized reviewer for all lawmaking changes, and deployments to our production environment are gated under condition that all lawmaking is reviewed. All lawmaking changes must go through a series of streamlined security scans surpassing stuff deployed to production. Security Policies Ada maintains internal copies of security documentation, which are updated on an ongoing understructure and reviewed annually for gaps: Information Security Policy Risk Management Framework Incident Response Plan Security Vulnerability IdentificationPreliminariesChecks Ada conducts a mandatory preliminaries trammels and reference trammels for all employees prior to joining our team. Security Training Ada enforces a mandatory security training program for all new and existing Ada developers that must be completed annually. This security training covers the OWASP Top 10 in specific programming languages that the developer uses. Disclosure Policy In the event of a data breach, Ada defers to GDPR regulations, which maintains that customers shall be notified within 72 hours of a data breach, where feasible. Ada maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page. We save time, reduce cost, and modernize your consumer experience. © 2018 Ada Support Inc.Well-nighAdaWell-nighBlog Careers Security Press Kit Status Terms of Service Privacy Policy Newsletter Get updates, new features, and resources straight to your inbox. © 2018 Ada Support Inc. Schedule a demo and try Ada for self-ruling Fill out the form unelevated and we’ll coordinate a personalized demonstration.