Security

As an auditing application, we recognize the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security.

This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

General practices

  • Our architecture is built to support HIPAA, SOC 2, and ISO 27001 compliance needs, with strict access controls, comprehensive auditing, and continuous monitoring.
  • We adopt a Zero Trust model across communications, ensuring identity verification, least-privilege access, and endpoint validation across our systems.
  • Access to servers, source code, and third-party tools are secured with two-factor auth.
  • We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
  • We don’t copy production data to external devices (like personal laptops).

Access control and organizational security

Personnel

Our employees sign an NDA before gaining access to sensitive information.

Penetration testing

We perform a penetration test through a third party annually.

Servers

Assuredly hosts our own servers in Google Cloud: us-central1.

Encryption

All communication between the Assuredly client and our backend is encrypted with TLS 1.2. Our backend server is managed by Google Cloud.

Data retention/logging

Logs are stored separate from our backend infrastructure in a private Google Cloud Logging bucket with limited access. This bucket is not accessible to any third parties.

These logs are retained for 30 days, after which they are permanently deleted.

Application analytics can be permanently deleted on request.

Software development practices

  • Code written by any developer is signed off by at least one other person before committing.
  • Code is tested in a staging environment against a QA checklist before deploying to production.

Vulnerability detection

Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities.

Vulnerable dependencies are patched and redeployed rapidly.

Hosting

Our backend server is hosted on Google Cloud. Googles’s data center operations have been accredited under:

 
  • ISO 27001
  • SOC 1 / SOC 2 / SOC 3
  • HIPAA
  • and more

FAQs

How do I report a potential vulnerability or security concern?

If you have a concern please email us at [email protected]

Are you SOC 2 or HIPAA certified?

We are working towards this and expect to be certified in the next 6 months.

Do you conduct background checks on your employees?

Yes. All employees sign an NDA and undergo a background check before starting.

What insurance do you carry?

    Yes, we can provide upon request.

Any further questions?

Great! Please email us and we’ll happily update this doc.