Security

Effective Date: Oct 29, 2021

Purpose and Scope

We understand the sensitivity of your data, and the privacy and security of that data is our primary concern.  We take security, availability, privacy, and most of all, transparency, very seriously.  To that end, we are currently undergoing a SOC2 Type 1 audit.

This document will provide you with all the ways in which we address the security of our product.  If you have any questions about any aspect of security, privacy or availability, or wish to report a security incident or system failure, please contact our security team here.

Application Security

Customer data

All stored data is considered to be the exclusive property of your organization. This means that only valid users who are part of the organization’s account are able access company data.   

Customer data sensitivity

Optify only stores non-sensitive PII, including first and last names, phone numbers, and email addresses.  Data relevant to the coaching program are also stored, including coaching goals, notes, and meetings.

Deleting customer data

Any data owner can request to have their data removed from the platform at any time. Please contact us to make that request.  All data will be removed from our database within 2 business days, and will be deleted from our database backups within a year.

Restitution of customer data

A program manager or administrator can export all client (coachee) meeting information in CSV format, including meeting dates and status.

Browser Support

Optify supports most evergreen browsers as long as they have been updated within the last two released major versions. Chrome or Firefox is recommended. Edge and Safari are also supported.

Platform authentication

  • User passwords are salted and hashed using the Argon2 algorithm prior to being stored in the database.
  • Client-managed third-party integrations are authenticated using the OAuth 2.0 protocol.
  • Form data and front-end API calls are authenticated through HTTPS headers using signed and salted tokens that expire after one day, client-generated API keys, and an API secret.

Application code

All application code is maintained in Git repositories hosted on the GitHub SAAS service.

Incident management

In case of the unlikely event of any potential alert of escalation, the situation will be dealt with according to the level of severity. Any potential outage or incident will be treated as an immediate priority, regardless of its severity level. Furthermore, any potential software malfunctions reported by users are directly managed by our dedicated support team.

Lastly, for the sake of transparency, all incidents regarding the Optify platform are shared on the Optify status page.

Infrastructure

Datacenter

Our service is being hosted and preserved on AWS, backed by AWS’s 99.99% uptime guarantee under the Amazon EC2 SLA.  

Servers

The servers are from AWS public cloud, AWS EC2, with data stored in a PostgreSQL database contained in an encrypted volume.

Environment separation

Each new Optify release is tested on a staging environment, completely separated from the production environment. The same processes apply for deployment and software installations for both environments.

Separation of customer data

Customer data is separated at the PostgreSQL database level using a schema-based multi-tenant solution.

Workstations

All Optify employee workstations are monitored for security, are encrypted, and have virus protection.

Network Protection

Hostile attack prevention

AWS offers a protection service Anti-DDOS at the forefront. Firewalls are configured according to the approved industry standards — complying with 

Traffic encryption

Optify supports the latest secure encryption suites and recommended protocols to encrypt all traffic.

All scoped data is encrypted in-transit via TLS 1.2 (HTTPS, SSL, SSH), OAuth 2.0, and at rest using LUKS1, aes-xts-plain64, 256 bits.  Encryption keys are stored in an Ansible Vault.

Installations. Updates. Patches.

Our servers are updated continuously with the latest security patches.Server installations, updates, and software deployments are fully automated.

  • The servers are configured via Ansible scripts. The scripts are tested regularly through a Vagrant machine.
  • Software is automatically tested in a CI/CD pipeline hosted by CircleCI prior to being packaged into a release for deployment. The build release process generates an artifact that allows a rollback to any specific previous version of the software.

Backups

Database

An hourly backup is made of the database, with each backup retained for one week. Database recovery procedures are tested regularly.

Incident Management

Communication

The Optify status page and our Intercom messaging system are the primary means of communication that we use in case of a major incident or maintenance on the platform.

Physical Security

Personnel

All Optify staff members have undergone background checks and have signed agreements requiring confidentiality of customer data. They have been trained in best practices on privacy and security.

Monitoring and access control

We limit our staff to access certain services and data, as exclusively members of Technical Operations can access the production infrastructure. Each staff member can only access the data and services that are necessary for their roles.

Contact Information

If you have any questions, comments or complaints about this Security Notice, please contact us by email: security@optifycoaching.com