Effective Date: January 17, 2022
We understand the sensitivity of your data, and the privacy and security of that data is our primary concern. We take security, availability, privacy, and most of all, transparency, very seriously. To that end, we have successfully completed a SOC2 Type 1 audit of our controls related to Security, Confidentiality, and Availability.
This document will provide you with all the ways in which we address the security of our product. If you have any questions about any aspect of security, privacy or availability, or wish to report a security incident or system failure, please contact our security team here.
All stored data is considered to be the exclusive property of your organization. This means that only valid users who are part of the organization’s account are able access company data.
Optify only stores non-sensitive PII, including first and last names, phone numbers, and email addresses. Data relevant to the coaching program are also stored, including coaching goals, notes, and meetings.
Any data owner can request to have their data removed from the platform at any time. Please contact us to make that request. All data will be removed from our database within 2 business days, and will be deleted from our database backups within a year.
A program manager or administrator can export all client (coachee) meeting information in CSV format, including meeting dates and status.
Optify supports most evergreen browsers as long as they have been updated within the last two released major versions. Chrome or Firefox is recommended. Edge and Safari are also supported.
All application code is maintained in Git repositories hosted on the GitHub SAAS service.
In case of the unlikely event of any potential alert of escalation, the situation will be dealt with according to the level of severity. Any potential outage or incident will be treated as an immediate priority, regardless of its severity level. Furthermore, any potential software malfunctions reported by users are directly managed by our dedicated support team.
Lastly, for the sake of transparency, all incidents regarding the Optify platform are shared on the Optify status page.
Our service is being hosted and preserved on AWS, backed by AWS’s 99.99% uptime guarantee under the Amazon EC2 SLA.
The servers are from AWS public cloud, AWS EC2, with data stored in a PostgreSQL database contained in an encrypted volume.
Each new Optify release is tested on a staging environment, completely separated from the production environment. The same processes apply for deployment and software installations for both environments.
Customer data is separated at the PostgreSQL database level using a schema-based multi-tenant solution.
All Optify employee workstations are monitored for security, are encrypted, and have virus protection.
AWS offers a protection service Anti-DDOS at the forefront. Firewalls are configured according to the approved industry standards — complying with
Optify supports the latest secure encryption suites and recommended protocols to encrypt all traffic.
All scoped data is encrypted in-transit via TLS 1.2 (HTTPS, SSL, SSH), OAuth 2.0, and at rest using LUKS1, aes-xts-plain64, 256 bits. Encryption keys are stored in an Ansible Vault.
Our servers are updated continuously with the latest security patches.Server installations, updates, and software deployments are fully automated.
An hourly backup is made of the database, with each backup retained for one week. Database recovery procedures are tested regularly.
The Optify status page and our Intercom messaging system are the primary means of communication that we use in case of a major incident or maintenance on the platform.
All Optify staff members have undergone background checks and have signed agreements requiring confidentiality of customer data. They have been trained in best practices on privacy and security.
We limit our staff to access certain services and data, as exclusively members of Technical Operations can access the production infrastructure. Each staff member can only access the data and services that are necessary for their roles.