Reliability & availability
It is our goal to ensure minimal service impacts and downtime. Every component in the application infrastructure is redundant. There are at least two of each component that processes the flow and storage of data. All network devices, including firewalls, load balancers, and switches are fully redundant and highly-available. Customers can see our system status in real-time on our status page, where we communicate any incidents and planned maintenance.
Backups
Backups are taken frequently, encrypted in transit and at rest, and are tested regularly. Backups are kept "off-site" in Amazon S3 which stores files on multiple physical devices in multiple facilities offering 99.999999999% durability and 99.99% availability.
Isolation
Our highly distributed backend platform employs isolation design patterns to mitigate risks across components. Failures of one component rarely affect other components.
DevOps best practices
Our development team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. Any 24/7/365 on-call team member is empowered to rebuild systems and topologies with full consistency. In the event of system loss, our development team quickly recreates systems by executing the infrastructure code.
Monitoring & on-call support
We monitor continuously from around the world, displaying, alerting, and reporting upon our entire technical environments in real-time. Supporting customers is a collaboration between our customer-facing support team, and our engineering team. Specialized engineers are on call 24/7/365. When problems occur our teams are promptly notified, automatically provided with context, and are enabled with tools to help collaborate efficiently with peers. We employ a triage pager system to ensure alerts quickly and reliably reach engineers.
Data center
Oktopost is hosted by Amazon Web Services (AWS). AWS maintains the world-leading hosting facilities which are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.
Data location
Oktopost maintains data centers in the US (AWS us-east-1) and EU (AWS eu-central-1). For customers that host their data in the US, Oktopost relies on the SCC to transfer data between the EU and US, which are included in our customer agreements, to ensure GDPR compliance.
Environmental Security Controls
AWS data centers maintain Redundant HVAC (Heating Ventilation Air Conditioning) units which provide consistent temperature and humidity within the raised floor area, Sensors to detect environmental hazards, including smoke detectors and floor water detectors, Raised flooring to protect hardware and communications equipment from water damage, Fire detection and suppression systems (dry-pipe, pre-action water-based), Redundant (N+1) UPS power subsystem with instantaneous failover. There are no product dependencies on Oktopost corporate offices or other facilities we manage.
IT security
Additional security is applied to information technology rooms and systems including forced open door alarms, thread and electronic intrusion detection systems, multi-factor authentication, and media destruction per NIST 800-88.
Physical security
24x7 onsite protection against unauthorized entry, Biometric scanning for controlled data center access, Security camera monitoring, Multi-factor authentication is required for all visitors. Continuous monitoring for unauthorized access is done through video surveillance, intrusion detection, and access log monitoring systems.
Customer Data Protection
Account Separation
Oktopost is a multi-tenant Software-as-a-Service (SaaS) product hosted on a virtual private cloud (VPC). Customer data is hosted on the same physical environment but is logically separated to ensure secure access.
Secure Access
Oktopost can be accessed across the Internet from secure and encrypted connections (TLS 1.2) using high-grade 2048 bit certificates. Individual user sessions are protected by unique session tokens and re-verified on each transaction.
Encryption at rest & in transit
All communications over public networks with Oktopost applications and APIs is conducted over TLS/HTTPS. All data is stored encrypted at rest, including for backups. Login credentials and access tokens are encrypted at rest.
Infrastructure & network security
Oktopost has a 24/7/365 monitoring and alerting system deployed to ensure no operational or security events are missed. In addition, Host-based Intrusion Detection is deployed on all production systems.
Network controls
Our private network is segmented into multiple security zones. These bring increasing levels of control, in proximity to customer data.
Incident management & response
Oktopost’s incident response planning and procedures are based on NIST standards. All incident reports are promptly investigated, reported and remediated as necessary. The response plan and procedures define all the steps to ensure a consistent process.
Scanning
Systems and applications are scanned regularly for common vulnerabilities.
System administration
Best practices are utilized, such as least privilege, central configuration management, and stringent host and network firewall policies. Servers are patched automatically on a regular schedule, with high-priority patches applied manually out-of-cycle.
Application security
Our developers are given annual training on secure coding. All application code is written by Oktopost employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.
Third-party penetration testing
Oktopost conducts penetration tests on a regular basis. Reports are available upon request by customers under NDA.
Security Reviews
Oktopost conducts Security reviews and threat assessments are based on Open Web Application Security Project (OWASP).
DDoS mitigation
Distributed Denial of Service mitigation is provided via our hosting platform. We employ both a web application firewall (WAF) in addition to AWS Shield.
Secure credential storage
Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.
Brute-force protection
In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections.
Email signing
Oktopost implements Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Oktopost, helping to prevent spoofing and ensure authenticity.
Employees & internal IT
In addition to developers receiving secure coding training, all employees participate in annual general security and data privacy training. Phishing drills are routinely run, and measured against industry benchmarks.
Information security policies & standards
Oktopost has a comprehensive set of policies and standards covering all aspects of security and privacy. All Employees must affirm their responsibilities in protecting customer data as part of their condition of employment.
Offices
Oktopost offices are secured by keycard access. Office networks are segmented, centrally monitored, and protected by firewalls and Intrusion Prevention devices. Our products have no dependencies on our company’s offices or other facilities we manage.
Endpoints
Employee workstations are secured with hard drive encryption, Antivirus and advanced malware detection with central management and control.
Background checks
Employees with access to customer data undergo a criminal history (where allowable by law) and background check prior to employment.
Business continuity
Like the hosting of our products, while Oktopost maintains physical offices around the world, the continued operation of our business is not dependent on these offices. Our products, customer service, and overall business operations are enabled to carry on uninterrupted by physical incidents or issues at our offices. Our team is equipped with Cloud-based tools and remote access & collaboration solutions, and makes use of these tools daily.
Product security features
Every company has unique workflows and requirements when it comes IT and information security. We give you the controls you need to adhere to your security protocols and guidelines.
Approval workflows
Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.
Single sign-on (SSO)
Oktopost offers SAML 2.0 Single sign-on (SSO) for organizations that leverage this authentication service to give employees one set of login credentials to access multiple applications.
Access permissions and Team Segmentation
Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users and groups on their account.
Crisis management
We hope you don’t need to, but in times of crisis, your team has access to one button that temporarily disables any automated scheduled and queued messages from being sent by the platform for both corporate and advocacy.
Session Control
Customers can control the session security settings for people using their instance.
Password Policy
Oktopost allows you to improve your account security with password protection. You can set password history, length, and complexity requirements along with other values. In addition, you can specify what to do if a user forgets their password.
Compliance & certifications
We understand how important security, privacy and data protection are to customers. Which is why we hold certification to demonstrate our compliance.
ISO 27001
Oktopost is ISO/IEC 27001 certified by the Standards Institution of Israel (SII), and by the International Certification Network (IQNET).
SOC 2 Type II
Oktopost has received independent certification of our SOC 2 Type II compliance.
EU-US Data Privacy Framework
Oktopost participates in the EU-US Data Privacy Framework, and its applicable extensions, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Economic Area member counties, Switzerland, and the United Kingdom.
CSA STAR Level 1
Oktopost is a member of the Cloud Security Alliance (CSA) - the world's leading independent organization for defining best practices for cloud service providers. In the spirit of transparency, Oktopost provides answers to common questions customers may have of their cloud provider here.
GDPR
Oktopost is GDPR compliant as both a data controller and data processor of personal data under the General Data Protection Regulation.