For Our Cloud Products
For terms not defined herein, please refer to our Terms of Service.
We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Each of our staff members, whether an employee or independent contractor (in this document the term “staff member” would include staff members and independent contractors), when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our staff members continually on information security, privacy, and compliance in our internal community where our staff members check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
Our internal systems are hosted by reputable providers such as Zoho Corp and our product software services and applications are hosted on reputable cloud providers such as AWS, Google Cloud Platform and Microsoft Azure and as such benefit from their high levels of network security, network redundancy, DDoS prevention, server hardening, intrusion detection and prevention.
Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.
For our cloud products, our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross site scripting and application layer DOS attacks.
In our cloud products, our framework distributes and maintains the cloud space for our customers. Each customer’s service data is logically separated from other customers’ data using a set of secure protocols in the framework. This ensures that no customer’s service data becomes accessible to another customer.
When you use our cloud products, the service data is stored on our servers when you use our services. Your data is owned by you, and not by us. We do not share this data with any third-party without your consent. In our desktop products, we do not hold any of your service data.
In transit: In our cloud products, all customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally for email, our services leverage opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
For our cloud products, we have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.
At rest: In our cloud products, Personally Identifiable Information (PII) customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We maintain the keys using industry standard key management service (KMS).
In our cloud products, we hold the data in your account as long as you choose to use Assyst’s services. Once you terminate your Assyst user account, your data will get deleted or anonymised from the active database during the next clean-up that occurs once every six to twelve months. The data deleted from the active database will be deleted from backups after three months. In case of your unpaid account being inactive for a continuous period of three calendar months, we reserve the right to terminate it after giving you prior notice and option to back-up your data.
It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised.
We employ technical access controls and internal policies to prohibit staff members from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.
In our cloud products, we run incremental backups every day and weekly full backups of our databases. Backup data in the DC is stored in the same location and encrypted using AES-256 bit algorithm. All backed up data is retained for a period of 30 days. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.
From your end, we strongly recommend scheduling regular backups of your data by exporting them from the respective Assyst services and storing it locally in your infrastructure.
Our systems and data are hosted with reputable cloud providers such as AWS, Google Cloud Platform and Microsoft Azure and we benefit from their disaster recovery and business continuity platform.
We will notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through [email protected] with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).
As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay when we become aware of it.
We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.
So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that you as a customer can do to ensure security from your end:
To learn more about how you can work with Assyst to achieve a secure cloud environment, read our resource on Shared Responsibility. We provide a thorough analysis on the shared responsibility model and how both our customers and Assyst can collaborate as well as take up individual responsibility towards cloud security and privacy.
Security of your data is your right. We will continue to work hard to keep your data secure. For any further queries on this topic, take a look at our Security FAQs. or write to us at [email protected].
