Security

Security

Our infrastructure is designed to provide an extremely scalable, highly reliable platform for online referrals. Tens of thousands of employees are simultaneously supported making referrals, sending messages, sharing jobs, and importing contacts from their social networks. Admins are provided with highly secure access to their referral program data and analytics, both via our web interface and API.

Our data centers are hosted by Amazon Web Services (AWS). As such, AWS is primarily responsible for the confidentiality, integrity, availability, and physical security of our data centers.

Our application architecture, database encryption, and access are secured, controlled, audited, and monitored by our in-house engineers.

Our application infrastructure is built and managed according to security best practices and standards. We use redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24x7.

Network Security & Encryption

Our application communications are secured by 128bit encryption using AES_128_GCM with ECDHE_RSA key exchange over the Secure Socket Layer (SSL). This ensures private communication between our servers and your devices.

Monitoring and Logging

We monitor our servers, databases, and network connections 24/7 to ensure stability, reliability, and security:

• Deep visibility into API calls, including who, what, when, and from where calls were made.
• Log aggregation, streamlining investigations and compliance reporting
• Alert notifications when specific events occur or thresholds are exceeded

Data Center Certifications

Our data centers are maintained by Amazon Web Services. As such, they are continuously audited with certifications from accreditation bodies across geographies and verticals, including:

• ISO 27001. A widely-recognized international security standard that requires the design and implementation a comprehensive suite of security controls. Our certifying agent is EY CertifyPoint.
• SOC 1/SSAE 16/ISAE 3402. SOC reports are completed to assure compliance with the ISAE 3402 security standards. While the ISAE standards apply specifically to professional accounting practices and their auditors, they’re still provide a strong.
• PCI DSS Level 1. PCI DSS is a standard that specifies best practices and various security controls in regards to cardholder data. Although most of our financial transactions are handled via invoices, we do process credit cards via stripe.com from time to time.

Network Protection

• Perimeter firewalls and edge routers block unused protocols.
• Internal firewalls segregate traffic between the application and database tiers.
• Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.
• A third-party service provider continuously scans the network externally and alerts changes in baseline configuration.

Backups

• All data are backed up at each data center, on a rotating schedule of incremental and full backups.
• The backups are cloned over secure links to a secure archive.
• Backups are not transported offsite and are securely destroyed when retired.

Scalability

Conclusion