Q: How is employee access managed and regulated? What kind of regular reviews and audits are done on privileged user account use and access levels?
A: We maintain automatic access and security logs in multiple locations. All AskCody employees are required to use two-factor authentication and strong passwords that are unique from other services. Customer data access is governed by our documented security policies and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and requires public key authentication. Individual employee access follows a principle of least access, and access rights are reviewed quarterly.
Q: How does your systems and data architecture ensure the integrity and isolation of the client's data in a multi-tenant environment?
A: AskCody comes as a modern, generic Software as a Service based on a multi-tenant solution. Data is though separated logically based on UUIDs so customer data are separated logically and secured from other customers.
Q: Is customer data encrypted at rest? What type of encryption is used and how are keys managed?
A: All data at rest are encrypted using best practice encryption algorithms or AES 256.
Public Key: AES-256
Private Key: RSA2048
Q: How are Exchange credentials managed and encrypted?
A: We leverage Azure Key Vault with an end-to-end encryption when credentials are being used by the application. Please see further description in DPA Appendix 6.
Q: Is customer data protected in transit? How?
A: All data in motion are encrypted using TLS 1.2+.
Q: Is data protected in backups? How?
A: Yes, AES 256.