Security

Effective Date: February 19, 2024

Our Security Stance

We understand the sensitivity of your data, and the privacy and security of that data is our primary concern. We take security, availability, privacy, and transparency very seriously. We comply with SOC2, GDPR, and the ICF Code of Ethics.

We complete annual SOC2 Type 2 audits of our controls related to Security, Confidentiality, and Availability. If you need a copy of our most recent report, we require a signed Non-Disclosure Agreement. Please contact us here for a copy.

If you have any questions about any aspect of security, privacy or availability, or wish to report a security incident or system failure, please contact our security team here.

Application Security

Customer data

All stored data is considered to be the exclusive property of your organization. This means that only valid users who are part of the organization’s account are able access company data. Within each account, each user is further restricted to see only the data they are authorized to see. We have four different user types, and each one has access only to the information necessary for their role: Administrators, Coaches, Clients, and Sponsors.   

Customer data sensitivity

Optify only stores non-sensitive Personally Identifiable Information (PII), including first and last names, phone numbers, and email addresses. Data relevant to the coaching program are also stored, including coaching goals, notes, and meetings. Coaching information is either restricted to coach and client, anonymized, or expressly authorized to be shared.

Deleting customer data

Any data owner can request to have their data removed from the platform at any time. Please contact us to make that request. All data will be removed from our database within 2 business days, and will be deleted from our database backups after one week.

Restitution of customer data

A program manager or administrator can export all program and meeting information in CSV format, including meeting dates and status. Confidential coaching information is not available for export.

Browser Support

Optify supports most evergreen browsers as long as they have been updated within the last two released major versions. Chrome or Firefox is recommended. Edge and Safari are also supported.

Platform authentication

  • User passwords are salted and hashed using the Argon2 algorithm prior to being stored in the database.
  • Client-managed third-party integrations are authenticated using the OAuth 2.0 protocol.
  • Form data and front-end API calls are authenticated through HTTPS headers using signed and salted tokens that expire after one day, client-generated API keys, and an API secret.

Application code

All application code is maintained in Git repositories hosted on the GitHub SAAS service.

Incident management

In case of the unlikely event of any potential alert of escalation, the situation will be dealt with according to the level of severity. Any potential outage or incident will be treated as an immediate priority, regardless of its severity level. Furthermore, any potential software malfunctions reported by users are directly managed by our dedicated support team.

Lastly, for the sake of transparency, all incidents regarding the Optify platform are shared on the Optify status page.

Infrastructure

Datacenter

Our service is being hosted and preserved on AWS, backed by AWS’s 99.99% uptime guarantee under the Amazon EC2 SLA.

Servers

The servers are from AWS public cloud, AWS EC2, with data stored in a PostgreSQL database contained in an encrypted volume.

Environment separation

Each new Optify release is tested on a staging environment, completely separated from the production environment. The same processes apply for deployment and software installations for both environments.

Separation of customer data

Customer data is separated at the PostgreSQL database level using a schema-based multi-tenant solution.

Workstations

All Optify employee workstations are monitored for security, are encrypted, and have virus protection.

Network Protection

Hostile attack prevention

AWS offers a protection service Anti-DDOS at the forefront. Firewalls are configured according to the approved industry standards — complying with hostile attack prevention is further bolstered by stringent access controls, continuous monitoring for suspicious activities, and regular security audits to ensure compliance with evolving industry regulations and best practices.

Traffic encryption

Optify supports the latest secure encryption suites and recommended protocols to encrypt all traffic.

All scoped data is encrypted in-transit via TLS 1.2 (HTTPS, SSL, SSH), OAuth 2.0, and at rest using LUKS1, aes-xts-plain64, 256 bits. Encryption keys are stored in an Ansible Vault.

Installations. Updates. Patches.

Our servers are updated continuously with the latest security patches. Server installations, updates, and software deployments are fully automated.

The servers are configured via Ansible scripts. The scripts are tested regularly through a Vagrant machine.

Software is automatically tested in a CI/CD pipeline hosted by CircleCI prior to being packaged into a release for deployment. The build release process generates an artifact that allows a rollback to any specific previous version of the software.

Database Backups

An hourly backup is made of the database, with each backup retained for one week. Database recovery procedures are tested regularly.

Incident Management

The Optify status page and our Intercom messaging system are the primary means of communication that we use in case of a major incident or maintenance on the platform.

Physical Security

Personnel

All Optify staff members have undergone background checks and have signed agreements requiring confidentiality of customer data. They have been trained in best practices on privacy and security.

Monitoring and access control

We limit our staff to access certain services and data, as exclusively members of Technical Operations can access the production infrastructure. Each staff member can only access the data and services that are necessary for their roles.

Contact Information

If you have any questions, comments or suggestions about this Security Notice, please contact us by email: support@optify.io.