Last updated: November, 2021
Our clients have entrusted After, Inc. with their business and customer data, and we make it a priority to take our users’ security and privacy seriously. This Security Statement lays out our security policies and practices to help reassure you that your data is appropriately protected.
Application and User Security
- All sensitive communications with the applications and websites managed by After, Inc., such as the user login page, are sent over SSL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protect communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.
- User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs in. After, Inc. issues a session cookie only to record encrypted authentication and state information for the duration of a specific session. The session cookie does not include the password of the user.
- User Passwords: User application passwords have minimum complexity requirements and are encrypted before storing in our database.
- Data Portability: After, Inc. enables you to export your data from our system so that you can back it up, or use it with other applications. The methods of how this may be accomplished may vary and will be documented in data interface agreements.
- Third Party Scans: Standard penetration testing of the server and application for application level vulnerabilities is undertaken.
- Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) is hosted by Amazon AWS. An overview of their security practices can be found here.
- Location: All user data is stored on servers located in the United States.
- Uptime: We carry out continuous uptime monitoring, and any downtime identified is escalated directly to After, Inc. staff.
- Failover: Production databases have multi-zone availability enabled, which provides automated failover. .
- Third Party Scans: Network port scanning, vulnerability scanning and manual penetration testing are performed regularly.
- Testing: System functionality and design changes are verified in an isolated test environment and subject to testing prior to deployment to active production systems.
- Patching: The latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
- Logging and Auditing: Central logging systems capture and archive all server access including any failed authentication attempts.
- Backup Frequency: Daily updates are taken each day, and a copy is replicated to a separate Amazon AWS region. Such backups are rotated every seven days. Weekly backups are also sent to another region and are kept for six months. A set of backups are also kept in an isolated account.
- Backup Location: All data are backed up to regions based in the United States.
Organizational and Administrative Security
- Employee Screening: We perform background screening on our employees that have access to sensitive user data.
- Training: We provide security and appropriate use training for employees and contractors. Mandatory training is provided during onboarding of new staff members and at least annually for everyone on staff.
- Service Providers: We review the security and privacy practices of our service providers and bind them under contract to appropriate confidentiality obligations.
- Access: Access controls to sensitive data in our databases, systems and environments are set on a least-privilege basis and all requests to grant access are reviewed and approved beforehand.
- Audit Logging: We maintain and monitor audit logs on our services and systems.
Software Development Practices
- Coding Practices: Our engineers use industry-standard secure coding guidelines to ensure secure coding.
- Software Scans: We scan our applications for vulnerabilities before deploying into production. Any vulnerabilities discovered are remediated and new scans are performed before release.
Handling of Security Breaches
- Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if After, Inc. learns of a material security breach, we will use reasonable efforts to notify affected users so that they can take appropriate protective steps. We will do this by providing email notices or posting a notice on our website if a material breach occurs. We will also comply with all applicable data breach notification laws.
- Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely.
- You should also ensure that you have sufficient security on your own systems, to protect your data.
- You will remove any users on our systems that have been terminated by you, or if no removal method is readily available, inform After, Inc. promptly that access should be terminated.
If you have any questions about After, Inc. security practices, please send an email to your account executive or to firstname.lastname@example.org.