Security Statement

Introduction

Here at Alloy Software, protecting your data is our highest priority. To do that, we’ve employ corporate security policies, physical and environmental security procedures, operational security processes, data model access controls, secure systems development and maintenance and more.

Security Policies & Procedures

Alloy Software understands the importance of ensuring the privacy of your personally identifiable information as well as being legally compliant with privacy laws and regulations. You can find more information about our privacy policies at alloysoftware.com/resources/privacy.

Our Software Development Lifecycle

All changes to Alloy Software’s application code base go through a full suite of automated tests, are thoroughly reviewed and then go through a round of manual reviews. Application code changes pass through multiple review stages before being released publicly or installed on customer cloud hosted production servers. For security sensitive changes and features, additional reviews take place.

If security exploits are discovered, Alloy Software has emergency procedures in place to ensure software patches are delivered quickly to our customers and that exploits are communicated when necessary.

Security at the Alloy Software Workplace

Our office is secured via keycard access, which is logged, and visitors are recorded at our front desk. We closely monitor the availability of our office network and all network devices on it. We collect logs produced by network devices such as firewalls, DNS servers, DHCP servers, and routers in one central place. Network logs are retained for our firewall, wireless access points, and switches.

Software Security Standards

Alloy Software designs its applications to follow various security standards such as FIPS, HIPPA and GDPR to ensure our customers are also in compliance and secure.

FIPS Compliance

Alloy Software products are compliant with the Federal Information Processing Standard Publication 140-2 (FIPS 140-2) standard which requires best practices and secured implementations of crypto algorithms and encryption schemes when protecting sensitive data. You can find more information about how Alloy Software meets FIPS compliance standards at alloysoftware.com/resources/fips-compliance.

HIPAA Compliance

Alloy Software products are compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure Protected Health Information (PHI) handled by health plans, doctors, hospitals and other health care providers is secure. You can find more information about how Alloy Software meets HIPAA compliance standards at alloysoftware.com/resources/hipaa-compliance.

GDPR Compliance

Alloy Software products are compliant with the General Data Protection Regulation legislation (GDPR) which ensures identifiable customer information remains private and secure by utilizing an array of robust data features. You can find more information about how Alloy Software meets GDPR compliance standards at alloysoftware.com/resources/gdpr

Secure Application Standards

Alloy Software products leverage several security protocols such as Socket Security Layer (SSL), Lightweight Directory Access Protocol Over Secure Socket Links (LDAPs), Open Authentication (OAuth), Secure Password Authentication (SPA), Transport Layer Security (TLS) and others to ensure data and data communication remains secure.

User Access Management

Application administrators can view real-time and historic user access information that includes user’s access time and date, activity, IP Address, and method of access from a central administration interface.

Cloud Hosting Architecture

Alloy Software leverages Amazon Web Services (AWS) to host customer data in secure SSAE 16 audited data centers via Amazon Relational Database Services (RDS).

Data Center Security

Security for Amazon Web Services (AWS) data centers include intrusion detection technology, physical access restriction, multiple data security layers, and environmental considerations to mitigate risks related to fire, flooding, extreme weather and seismic activity. You can find more information about Amazon Web Services (AWS) security policies and procedures at aws.amazon.com/security

Security Certifications

Amazon Web Services (AWS) has been certified by third-party organizations and is compliant with laws and regulations. You can find a list certifications and compliance statements at aws.amazon.com/compliance.

Amazon has published an SOC 3 report for Amazon Web Services on Security, Availability & Confidentiality that you can find at d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf

Data Center Location

Alloy Software hosts cloud services data on Amazon Web Services (AWS) data centers located in the United States. By request, cloud services data can be hosted at a data center within an available region of the customer’s choosing.

Personnel Access

Only senior members of Alloy Software’s Technical Services team have access to production environment installations for the purposes of maintaining our cloud services and assisting our customers. All access to production environments hosted on Amazon Web Services (AWS) is closely monitored.

Disaster Recovery

Amazon Web Services (AWS) hosting locations employ disaster recovery processes such as back-up power equipment, HVAC systems, fire suppression equipment and protections again flooding, extreme weather and seismic activity. In addition, Alloy Software’s Technical Services team have disaster recovery processes in place which are tested on a regular basis.

Data Backups

Alloy Software runs full database backups daily. Backup data is stored on cloud storage in a separate location and encrypted at rest. Daily backups are kept for 7 days. Weekly backups are kept for 4 weeks. Monthly backups are kept for 3 months. No backups are saved beyond 3 months.

As our customer, you own your data and may request backup copies as needed.

Data Retention

Alloy Software applications provide data archiving features that allow customers to determine their own data retention policy. If data archiving is not enabled, data is retained indefinitely while you are our customer.

Encrypted Transactions

Security standards such as Socket Security Layer (SSL), Lightweight Directory Access Protocol Over Secure Socket Links (LDAPs), Open Authentication (OAuth), Secure Password Authentication (SPA), Transport Layer Security (TLS), Secure File Transfer Protocol (SFTP), and others are used by Alloy Software applications when communicating data.

Additionally, all communications are protected with HTTPS using TLS within the Cloud with VPN network connections.