Awarathon got featured in Entrepreneur magazine as 26 creators - Read more
Request Demo Request Demo

Awarathon Security Policy

Overview

Our security strategy involves the following components:

  • Organizational security
  • Physical security
  • Infrastructure security
  • Data security
  • Identity and access control
  • Operational security
  • Incident management

Organizational security

We have an Information Security Management System (ISMS) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

1. Employee background checks

Each employee undergoes a process of background verification. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

2. Security Awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security that they may require based on their roles. We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.

3. Dedicated security and privacy teams

We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.

4. Internal audit and compliance

We have a dedicated compliance team to review procedures and policies in Awarathon, align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties. We are ISO/IEC 27001 certified which is one of the most widely recognized independent international security standards. This certificate is awarded to organizations that comply with ISO’s high global standards. Awarathon has earned ISO/IEC 27001:2022 certification for Applications, Systems, People, Technology, and Processes and we are also SOC-2 compliant.

For more details, check out our ISO Certificate.

5. Endpoint security

All workstations issued to Awarahone employees run up-to-date OS versions and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by Awarathon’s endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle.

Physical security

1. At workplace

We manage access to our resources, including buildings, infrastructure, and facilities, CCTV camera’s using access cards that control entry, consumption, and utilization. Different access cards are issued to employees, contractors, vendors, and visitors, each granting access strictly aligned with the purpose of their visit. The Human Resources (HR) team defines and updates the role-specific access purposes. Access logs are maintained to monitor and address any anomalies.

2. Monitoring

We monitor all entry and exit activities across our premises, including business centers , using CCTV cameras installed in compliance with local regulations. Backup footage is retained for a specified duration, based on the requirements of each location

3. Infrastructure security

Awarathon is hosted on a highly secure Amazon Web Services (AWS) cloud infrastructure with best-in-class security processes.

4. Network security

Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Awarathon production infrastructure.

5. System redundancy

Our platform is designed with redundancy at every level. We utilize a distributed grid architecture to protect our system and services from potential server failures. In the event of a server failure, users can continue without disruption, as their data and Awarathon services remain accessible. Additionally, we implement multiple switches, routers, and security gateways to ensure redundancy at the device level, effectively preventing single points of failure within the internal network

6. Intrusion detection and prevention

Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.

Data security

1. Secure by design

Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.

2. Data isolation

Our framework distributes and maintains the cloud space for our customers. Each customer’s service data is logically separated from other customers’ data using a set of secure protocols in the framework. This ensures that no customer’s service data becomes accessible to another customer.The service data is stored on our servers when you use our services. Your data is owned by you, and not by Awarathon. We do not share this data with any third-party without your consent.

3. Encryption

A) In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers to use base64 encryption, for all connections including web access,API access,our mobile apps, and SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred.

B) At rest: Sensitive customer data at rest is encrypted using 64-bit Data Encryption Standard (DES). Please click here for detailed information about data encryption at Awarathon.

4. Data retention and disposal

We hold the data in your account as long as you choose to use Awarathon Services. Once you terminate your Awarathon account, your data will get deleted from the active database during the next clean-up that occurs once every 1 year.

Identity and Access control

1. Single Sign-On (SSO)

Awarathon offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. When you sign in to any Awarathon service, it happens only with valid login details or with SSO. We also support Ping for single sign-on that makes it possible for customers to integrate their company’s identity provider. SSO simplifies the login process, ensures compliance, provides effective access control and reporting, and reduces risk of password fatigue, and hence weak passwords.

2. Multi-Factor Authentication

It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised.

3. Administrative access

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure. Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, additionally, we log all the operations and audit them periodically.

Operational security

1. Logging and Monitoring

We monitor and analyse information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability. Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every Awarathon service.

2. Vulnerability management

We have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts You can check out our detailed VAPT report by putting us an email at info@stagingweb.awarathon.com .Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.

3. Malware and spam protection

We scan all user files using our automated scanning system that’s designed to stop malware from being spread through the Awarathon ecosystem. Our custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns. Furthermore, our proprietary detection engine bundled with machine learning techniques, ensures customer data is protected from malware.

4. Backup

We run incremental backups everyday full backups of our databases using AWS servers. Backup data is stored in India and encrypted using base 64 encryption method. All backed up data are retained for a period of 1 year. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved. All backups are scheduled and tracked regularly. In case of a failure, a re-run is initiated and is fixed immediately. From your end, we strongly recommend scheduling regular backups of your data by exporting them from the respective Awarathon services and storing it locally in your infrastructure.

5. Disaster recovery and business continuity

We have a detailed disaster recovery and business continuity plan in place and we are also SOC-2 compliant, for more details please check our ISO certificate.

Incident Management

1. Reporting

We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations. We respond to the security or privacy incidents you report to us through info@stagingweb.awarathon.com, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).

2. Breach notification

As data controllers, we notify the concerned Data Protection Authority of a breach within 24 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay.

3. Vendor and Third-party supplier management

We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.

Customer controls for security

So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that you as a customer can do to ensure security from your end:

1. Choose a unique, strong password and protect it.
2. Use multi-factor authentication
3. Use the latest browser versions, mobile OS and updated mobile applications to ensure they are patched against vulnerabilities and to use latest security features
4. Exercise reasonable precautions while sharing data from our cloud environment.
5. Classify your information into personal or sensitive and label them accordingly.
6. Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account, and manage roles and privileges to your account.
7. Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating Awarathon or other services your trust.

Conclusion

Security of your data is your right and a never-ending mission of Awarathon. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, write to us at info@stagingweb.awarathon.com.

Hit enter to search or ESC to close