Our Security Practices
Data security you can trust
We live in a world where the public is increasingly skeptical of data and its surrounding security. We stay up-to-date on the latest industry standards to manage security for our network, platform, database, and (most importantly) people’s data. Our data security fundamentals include encryption, strong authentication, constant monitoring, and ample backups.
- Platform Security
- Hosted on Amazon Web Services (infrastructure-as-a-service and an industry leader in best practice certifications and compliance).
- Hosted in multiple datacenters to assure redundancy, with processes in place to allow for data recovery.
- All access to Platform logged and monitored by Civis security staff.
- Regular tests for, and fixes of, vulnerabilities in our systems and products, both internally by staff and externally by third parties.
- Client Security
- Platform is multi-tenant, with isolation measures in place to ensure clients’ data and access is secure. Each client has their own Redshift analytics database, isolating their data and workloads in a single-tenant environment.
- Users have own unique accounts so all actions are attributable to the particular user.
- Users must abide by strong password requirements. We require two-factor authentication when available.
- Users can be permissioned or de-permissioned on data on a need-to-know basis.
- Data Security, Privacy, and Compliance
- We’re on-call 24/7/365 to respond to system alerts or incidents.
- The AWS Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24/7/365 coverage to detect incidents and to manage the impact and resolution.
- All data is encrypted at rest and in-transit, whether stored in the cloud or locally.
- Employee Security & Company Policies
- Full-disk encryption on all staff laptops, as well as Amazon Redshift, RDS, and EC2 computing resources.
- Strong password requirements that are changed regularly and can’t be reused across systems.
- Regular security audits and staff training, conducted by internal Civis Security Staff and external third-party auditors retained by Civis.
- Encryption and password protection on all devices used to access Civis e-mails or systems.
- Two-factor authentication on all staff email, VPN, Civis Platform, and other software or systems that allow for multi-factor authentication.