Edify.ai Security Policies. Updated July 30, 2020. For questions regarding security, email us at firstname.lastname@example.org.
Security of Customer Data
Protecting customer data is the top priority of edify.ai, and we use industry standard best-practices to safeguard your sensitive data.
Edify.ai’s security protocols are compliant with:
- ISO 27001:2013
- SOC2 Type 2
- Privacy Shield Certification Compliance
- Edify.ai’s next generation environment in Microsoft Azure is SOC 2 certified, in addition to Edify.ai’s implementation of Barracuda’s NextGen Firewall inside of Microsoft Azure.
Edify.ai Security Architecture
Edify.ai’s security architecture is designed to protect the confidentiality and integrity of all customer information that we host. We apply stringent, risk-adjusted security controls in layers ranging from facilities (physical security) to network infrastructure (network security), IT systems (system/host security) and information and applications (application security).
Edify.ai Security Controls and Policies
- Secure data centers – Edify.ai leverages Microsoft Azure as our datacenter provider. Microsoft Azure provides customers with the ability to view their SOC2 Type 2 report. Edify.ai further protects certain types of data with a Barracuda NextGen Firewall implemented inside of Microsoft Azure.
- Edify.ai’s Cloud Infrastructure is designed in accordance with best practices guidelines from Defense Security Services (DSS) and Payment Card Industry Data Security Standards (PCI).
- Security monitoring – Our networks and systems are continuously monitored for security issues. Security events are correlated for evaluation by our security team, using a Security Information and Event Management System (SIEM) tool.
- Strict access controls (both system and network) – Edify.ai enforces strict access control on all its systems. We perform regular internal audits and use automated tools to verify desired configurations.
- Everything is internally audited, including strong internal auditing in the form of SOC2.
- Strict ingress and egress points – Access to the application is restricted to ports 80/443. Edify.ai administration is limited to a small group of Edify.ai workers using a secure 2-factor VPN to access customer environments. All activity is logged.
- Hardened operating systems – All operating systems are configured to only use the minimal number of required services.
- Encryption – Edify.ai provides strong encryption for customers to use, which secures the Data in Transit (DIT) from the client side, to our core services.
- Separated services (web, database and storage) – All services are isolated and not shared, minimizing the risk of unintended data disclosure.
- Restricted access to customer data – Edify.ai’s access to customer data is highly restricted, and access requests by our support personnel follows a highly controlled and documented process. Before access is granted, employees must complete special security training to handle customer data.
- Logging and audit – All activity is logged in a protected system and is audited using automated tools.
- Incident and response – Edify.ai has an incident response process designed to handle customer data incidents.
- Training – All Edify.ai employees are required to participate in security training.
- Certified Security Personnel – Edify.ai’s Security team includes certified Information Security professionals with expertise in application, network and architecture security who help define our security policies and security controls. The Edify.ai security team is composed of professionals with graduate-level degrees, 25 years industry experience, and security certifications including CISSP, CISA, CRISC, ITIL v3, and DoD security clearance.
Edify.ai will be performing an annual security audit starting in 2021 by a respected third-party IT security audit agency. The unedited results of the audit are shared with customers and prospective customers upon signing a non-disclosure agreement. It is available by request by contacting your edify.ai representative.
Software Engineering Security Process
Security is continuously improved and tested throughout the Edify.ai product lifecycle. All new feature designs are audited for high-level security considerations, and feature implementations are checked for security flaws throughout development. Existing features are audited for security vulnerability regressions, and application-wide audits are performed to ensure that feature integration is secure. Third-party components used by Edify.ai are researched and monitored carefully for vulnerabilities. Edify.ai has a security team focused on application security testing, using both manual and automated methodologies.
Edify.ai maintains secure programming best practice documents based on OWASP requirements. Best-practice documents are updated on a regular basis to reflect current vulnerability knowledge, and also provide developers with real-world examples of previous programming mistakes and how to avoid them. Topics covered include input/output data sanitation, proper usage of authentication and authorization, avoiding information disclosure and secure file system (and other resource) usage.
Edify.ai performs a comprehensive security review of its product, based on OWASP standard methodologies.
Such tests include:
- Application discovery and reconnaissance
- Identification of weak point
- Penetration testing using tools and techniques that mimic malicious attackers
- Reporting of vulnerabilities
- Patch verification
- Application Security Process
- Security Assessment Policy
Edify.ai’s release readiness workflow includes continuous security tests and assessments. Manual and automated security tests are conducted at critical milestones, prior to public release. Security vulnerabilities discovered during these tests are then reviewed for criticality and assigned to Engineering for resolution. Based on criticality, the issue may be resolved prior to release, or addressed in a future update.
Edify.ai conducts continuous vulnerability scanning of our cloud and hosted environments, and has a Patch and Vulnerability Policy that provides oversight of our patching process. Edify.ai leverages US-CERT alerts, open source data and internal testing to identify potential vulnerabilities. Remediation efforts are prioritized based on the risk level calculated by the Common Vulnerability Scoring System (CVSS).
Edify.ai utilizes best-in-class security tools to monitor our environment, such as:
- Intrusion Detection Systems (IDS) monitoring
- Distributed Denial of Service (DDoS) detection and mitigation
- Security Information and Event Management (SIEM) logging and analysis
- Web Application Firewall (WAF)
- Application security scanning, using multiple products
Office 365 Communications Data Security and Information Transfer Process
Edify.ai uses meta data from Office 365 to provide deep insights on engagement, cross-team collaboration, and diversity and inclusion from across your organization. Following is the process of obtaining Office 365 meta-data:
- Your organization sets up a web service inside your Azure instance, and into which edify.ai publishes an Azure-approved app. You then go into that app and authenticate edify.ai into your Office 365 via a user created specifically for edify.ai. That user has limited, read-only privileges to header data and body data only, with no access to either view or download attachments.
- Once you authenticate the edify.ai user, edify.ai will start transferring data via secure and encrypted Azure point-to-site transmission directly into edify.ai’s Barracuda NextGen Firewall secured Azure instance.
- As each message is retrieved from your Office 365 instance, the web service immediately replaces any number in the body with an “X”—removing sensitive information that may exist in the body of a message. Thus, before messages even leave your Azure environment, all numbers are removed.
- The message is then sent via secure, 1024-bit encrypted point-to-site transmission from your Azure environment to edify.ai’s Azure environment inside of a Barracuda NextGen Firewall. The public/private keys used for transmission are generated at the time of compiling the edify.ai edify.ai web service and are unique to your organization.
- Once inside of edify.ai’s Azure environment, the message is immediately analyzed and processed and discarded. The analysis generates meta data about the message, including sentiment analysis for the message and for each entity in the message. Attached is a document showing the type of data stored about each message.
- Edify.ai does not store raw messages from Office 365 in any persistent storage location. The messages are immediately processed and discarded. Only the meta-data is stored.
- Edify.ai has architected compartmentalized and reactive security and protections by creating separate and isolated services for each step of the data extraction process. If any kind of intrusion happens, that service immediately shuts itself down and the intrusion is stopped. Each service has hardcoded restrictions about which services it can share data with. Any attempt to retrieve data from unauthorized sources causes the service to shut down immediately.