Our Security Practices
Data security you can trust
You trust us with your most important data, and we take that responsibility seriously. This includes everything from protecting our systems against external threats to safeguarding how your data is accessed and used. As a Civis client, you’ll benefit from architecture, products, and processes that are all designed specifically to protect your data against internal and external vulnerabilities. These security controls are validated by a third party in accordance with the stringent standards set by the AICPA and we’ve achieved SOC 2 Type II compliance.
- Platform Security
- Hosted on Amazon Web Services (infrastructure-as-a-service and an industry leader in best practice certifications and compliance).
- Hosted in multiple datacenters to assure redundancy, with processes in place to allow for data recovery.
- All access to Platform logged and monitored by Civis security staff.
- Regular tests for, and fixes of, vulnerabilities in our systems and products, both internally by staff and externally by third parties.
- Client Security
- Platform is multi-tenant, with isolation measures in place to ensure clients’ data and access is secure. Each client has their own Redshift analytics database, isolating their data and workloads in a single-tenant environment.
- Users have own unique accounts so all actions are attributable to the particular user.
- Users must abide by strong password requirements. We require two-factor authentication when available.
- Users can be permissioned or de-permissioned on data on a need-to-know basis.
- Data Security, Privacy, and Compliance
- We’re on-call 24/7/365 to respond to system alerts or incidents.
- The AWS Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24/7/365 coverage to detect incidents and to manage the impact and resolution.
- All data is encrypted at rest and in-transit, whether stored in the cloud or locally.
- Employee Security & Company Policies
- Full-disk encryption on all staff laptops, as well as Amazon Redshift, RDS, and EC2 computing resources.
- Strong password requirements that are changed regularly and can’t be reused across systems.
- Regular security audits and staff training, conducted by internal Civis Security Staff and external third-party auditors retained by Civis.
- Encryption and password protection on all devices used to access Civis e-mails or systems.
- Two-factor authentication on all staff email, VPN, Civis Platform, and other software or systems that allow for multi-factor authentication.