Security and compliance are top priorities for Amalia because they are fundamental to your experience with the product. Amalia is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.
Amalia uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Amalia employees undergo background checks before employment and are trained on security practices during company onboarding and on an annual basis.
Security is directed by Amalia’s Chief Technology Officer and maintained by Amalia’s Security & Operations team.
Physical Access Control
The defined purpose makes it possible to determine the relevance of the data that we will collect. Only the adequate and strictly necessary data to achieve the purpose will be collected and processed. Thus we only collect data allowing:
- Custom-designed electronic access cards
- Vehicle access barriers
- Perimeter fencing
- Metal detectors
According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”
Amalia employees do not have physical access to Google data centers, servers, network equipment, or storage.
Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 certifications.
Logical Access Control
Amalia is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Amalia operations team members have access to configure the infrastructure on an as-needed basis behind a virtual private network.
Logging and Monitoring
Logging is a critical component to Amalia infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in realtime and managed by Google Cloud Logging. Log access is configured per role for our operational team.
Amalia uses a variety of monitoring strategies. We monitor the performance of our apps through Google Cloud Monitoring and Sentry. Alarms on all our servers are triggered when reaching threshold for different indicators (memory/cpu usage, connections, downtime, ...). This will notify our ops team. Downtime is not caused by one server going down as we serve the app on multiple servers behind a load balancer.
Intrusion Detection and Prevention
Unusual network patterns or suspicious behavior are among Amalia's most significant concerns for infrastructure hosting and management. Amalia and Google Cloud Platform’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.
IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.
Amalia does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.
Data breach and incident response procedure
In case of Data breach, Amalia's team will follow the following procedure:
Amalia undergoes grey box penetration testing conducted by an independent, third-party agency, on an annual basis. For grey-box testing, Amalia provides the agency with an isolated clone of amalia.io, a user access to the system and a high-level diagram of application architecture.
Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Amalia will provide a summary of penetration test findings upon request to Enterprise customers.
Every part of the Amalia service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Amalia keeps daily encrypted backups of data in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
In the event of a region-wide outage, Amalia will bring up a duplicate environment in a different Google Cloud Platform region. The Amalia operations team has extensive experience performing full region migrations.
RTO & RPO
Our Recovery Time Objective (RTO) is 4 hours.
Our Recovery Point Objective (RPO) is 24 hours.
Each data bit stored by Amalia is encrypted according to the most demanding standards (AES-256). We also use the TLS 1.2 encryption with RSA keys of 2,048 bits for all data in transit.
With Multi Tenant Architecture, your resources and liabilities are not shared with other tenants as your data at rest remains isolated.
Safe authentication and user management
Allowing employees to log-in using company credentials from a single and central directory: SAML2, LDAP, OAuth 2, Active Directory, and others upon request.
Amalia authentification system relies on Auth0.com
We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All Amalia customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed.
Membership within Amalia is handled at the organization level. Each Amalia user should have their own account and can choose their own personal preferences and notifications settings. Access to organizations is dictated by role:
For any organization on a Amalia plan, the project administration portal is the hub for seeing and managing users and usage. The member list includes the username, email, status, added date, teams, and role for each user. The admin or owner can revoke access by organization, or team and change the user role. Additionally, the admin can request login and password history and revoke passwords and active sessions for any user via request to Amalia Support.
Secure Application Development
Each day, new versions are deployed on the Amalia platform. We are constantly delivering secure upgrades. Each version incorporates the most limited scope possible in order to mitigate risks. We implement progressive upgrade deployments in order for each new version of the application to be tested before online visitors are introduced to it. In case of a problem with the newly deployed version, the automated verification system will cancel it, preventing visitors from seeing it.
Amalia maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Amalia Enterprise customers upon request:
All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.
All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via email to all Amalia employees.