Security Policy
Updated November 21, 2018
We take our customers’ security very seriously, and have extensive experience serving enterprise clients with complex security requirements. This document covers key elements of our security policy.
We use world-class data centers
Portside’s physical infrastructure is hosted and managed within Amazon’s secure data centers and leverages Amazon Web Services (AWS) and Amazon Elastic Compute Cloud (EC2) technology.
Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001 and ISO 27017/8
- SOC 1, SOC 2 and SOC 3 / SSAE 16 / ISAE 3402 (previously SAS 70 Type II)
- PCI DSS Level 1
AWS has also given special attention in the US and EU to comply with any new or changing regulations, such as:
- Sarbanes-Oxley (SOX)
- HIPAA
- Safe Harbor / Privacy Shield
- EU Data Protection Directive (GDPR)
A full list of Amazon’s certifications is available here.
Passwords are stored securely
All user passwords are hashed. Hashing passwords means we don’t have access to the original passwords, nor does anyone else. So even if our database were compromised, everyone’s passwords would stay secure.
Data is encrypted in transit
All communication between the client’s browser and Portside servers is over secure HTTP access (HTTPS), using the industry standard Transport Layer Security (TLS). Only the most relevant and secure level of TLS is accepted by Portside. We are using TLS 1.2 and 1.3 certificates with ciphers recommended by the U.S. Department of Commerce, National Institute of Standards and Technology (details can be found here).
Data is encrypted at rest
All account data that is not moving through the network is encrypted while “at rest” in the database. We encrypt all data using 256-bit AES encryption. This ensures that even if access to our databases is compromised, the intruder will not be able to gain access to customer data.
System and operational security
We protect our system infrastructure by using dedicated firewall and VPN services to block unauthorized system access. Firewalls on all servers are set to default-deny.
Database connections are only accepted from other Portside servers on the internal virtual private network.
All communication with servers (outside of public HTTPS access) is over encrypted secure shell (SSH) and password authentication is disabled. SSH authentication is available only via public/private key authentication.
We strive to keep all server software on the latest version; however, when that is not possible, we do ensure that the latest security patches are installed and up-to-date.
Access is logged
We log all user activity in the application, as well as any systems access by our employees, using AWS CloudTrail service. An audit log is maintained and is reviewed periodically.
Employee access restrictions
All employees are required to sign a confidentiality agreement. Tight system access security is enforced and no Portside employees are able to access customer data unless specifically required to do so for support reasons. Then only specially designated senior technical employees have the necessary access permissions. Any system access is logged and tracked for auditing purposes.
We enforce two-factor authentication both for infrastructure access (Amazon Web Services) and for code repository (Github).
Customer data separation
Portside has been carefully designed to separate customer data and to prevent even inadvertent disclosure of data from one user to another. User account permissions and roles are enforced at the server and database level to prevent malicious users from escalating their privileges. We carefully design all new features to prevent potential attacks such as SQL injection and cross-site-scripting.
Backup policy
All data is physically stored on servers in the United States. Backups are performed automatically by AWS, and the database can be restored to any point in time in the past 30 days.
Anti-virus scanning
Portside automatically scans all uploaded files for viruses. This helps protect against malicious files from being uploaded and shared with other users in the account. If Portside detects a virus in a file, we reject the upload and notify the user.
We do not store payment details
Portside does not store or process payments. All payments go through our partner, Stripe, which is a leading global payments system that is PCI DSS compliant. Details about their security can be found here.
Penetration and vulnerability testing
Portside conducts annual third party penetration testing on its systems to validate and confirm that there are no technical vulnerabilities that may have been missed.