We take the security of our customers data very seriously. Here at AllAnswered, we utilize comprehensive security technologies to maximize the safety and security of our customers information. This document shares the practices and policies we put in place regarding security for our paid subscribers.
Infrastructure
We are using Amazon Web Services (AWS) to host our servers, databases and storage. AWS is certified as a SOC 1 ISAE 3402, SOC 2, SOC 3, ISO 27001 and ISO 9001 compliant facility. For more information about AWS data center compliance, please refer to: http://aws.amazon.com/compliance/.
AllAnswered implemented network firewalls with Amazon Virtual Private Cloud (VPC) so that only permitted traffic is allowed to go through.
Data in transit and at rest
Data in transit over network are encrypted using industry standard Transport Layer Security and Secure Socket Layer (TLS/SSL) technology with advanced AES-256 encryption to prevent eavesdropping or man-in-the-middle attack (MITM). Storage at rest in production network is also encrypted with AES-256. All the keys are stored and managed on the server side.
User credentials are saved using PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. We also support Single Sign-On (SSO) with all major Identity Providers using industry standard SAML2.0 and Oauth protocol.
“User Content” refers to information, messages, documents and other data which are submitted by you through the use of our Service. User Contents are versioned and backed up regularly between physical locations to prevent data loss. All infrastructure changes are logged using Cloudtrail and archived for governance, compliance, operational auditing.
Neither AllAnswered, its employees, contractors nor agents will view your User Content except: (i) to maintain, provide or improve the Service; (ii) to help you and respond to your request related to your User Content, including support requests; (iii) to comply with or avoid the violation of applicable law or regulation (including to review and remove allegedly infringing Content in accordance with the DMCA), or to cooperate with law enforcement.
Authentication and authorization
To further reduce the risk of unauthorized access to customers data, AllAnswered requires multi-factor authentication for administrative access to systems. Direct access to production servers is over Secure Shell (SSH) with private keystore.
Access to infrastructure resources and applications is controlled based on roles and is limited to people who have the right permissions. The operations team has access to the necessary infrastructure in order to run our service. AllAnswered does not hire third party contractors to maintain its infrastructure.
Cookies and sessions
Once an individual user signs in to AllAnswered account, a session cookie will be stored that contains a specific security token used to identify the user. This cookie is used to re-authenticate the user before the user session expires. Signing out of the user's account will clear this cookie.
Most modern browsers automatically accept cookies, but you can change your browser settings to stop automatically accepting cookies or to prompt you before accepting cookies. Please note, however, that if you don’t accept cookies, you may not be able to access all features of our service.
Vulnerability Audits
AllAnswered operations team regularly updates our server Operation Systems, software, tools and libraries. Security patches are applied as they become available. Our security team undergoes comprehensive penetration testing every 6 months. Any vulnerabilities discovered have to be remediated within 30 days.
Uptime
AllAnswered supports uptime of 99.9% by adding redundancy throughout our infrastructure stack, including multiple instances in different availability zones to maintain a secure and reliable service for our customers.
Billing and PCI DSS compliance
Anyone involved with the processing, transmission, or storage of credit card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). AllAnswered does not store, process, or transmit card data directly. Instead, the credit card information is sent directly to Stripe, our payment partner, which is a PCI Level 1 Service Provider.
Export you data
You have complete control over your own data. If you want to backup them or take them somewhere else, you can export all content of each community in your team. The exported files are in comma separated CSV format.
Report a security vulnerability
If you discover a security issue in AllAnswered service, we ask that you report it to us confidentially in order to protect the security of our services. Please email the details to our security team at security@allanswered.com. Our security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately.