Security Policy

Updated 28/09/2021
Amalia's Security infrastructure

A secure, reliable and scalable infrastructure


Security and compliance are top priorities for Amalia because they are fundamental to your experience with the product. Amalia is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.

Amalia uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. All Amalia employees undergo background checks before employment and are trained on security practices during company onboarding and on an annual basis.

Security is directed by Amalia’s Chief Technology Officer and maintained by Amalia’s Security & Operations team.

Infrastructure and Network Security

Physical Access Control

The defined purpose makes it possible to determine the relevance of the data that we will collect. Only the adequate and strictly necessary data to achieve the purpose will be collected and processed. Thus we only collect data allowing:


- Custom-designed electronic access cards

- Alarms

- Vehicle access barriers

- Perimeter fencing

- Metal detectors

- Biometrics


According to the Google Security Whitepaper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”

Amalia employees do not have physical access to Google data centers, servers, network equipment, or storage.

Google Cloud Platform undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 certifications.

Logical Access Control

Amalia is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Amalia operations team members have access to configure the infrastructure on an as-needed basis behind a virtual private network.

Logging and Monitoring

Logging is a critical component to Amalia infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in real­time and managed by Google Cloud Logging. Log access is configured per role for our operational team.

Amalia uses a variety of monitoring strategies. We monitor the performance of our apps through Google Cloud Monitoring and Sentry. Alarms on all our servers are triggered when reaching threshold for different indicators (memory/cpu usage, connections, downtime, ...). This will notify our ops team. Downtime is not caused by one server going down as we serve the app on multiple servers behind a load balancer.

Intrusion Detection and Prevention

Unusual network patterns or suspicious behavior are among Amalia's most significant concerns for infrastructure hosting and management. Amalia and Google Cloud Platform’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.

IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.

Amalia does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.

Data breach and incident response procedure

In case of Data breach, Amalia's team will follow the following procedure:

  1. Identification. In this phase, we will go through different questions: When did the event happen? How was it discovered? Who discovered it? Have any other areas been impacted? What is the scope of the compromise? Does it affect operations? Has the source (point of entry) of the event been discovered?
  2. Communicate. In this phase we will communicate to our concerned clients the identified breach by email.
  3. Containment. In this phase, we will go through different questions: What’s been done to contain the breach short term? What’s been done to contain the breach long term? Has any discovered malware been quarantined from the rest of the environment? What sort of backups are in place? Have all access credentials been reviewed for legitimacy, hardened and changed?
  4. Eradication. In this phase, we will go through different questions: Have artifacts/malware from the attacker been securely removed? Has the system be hardened, patched, and updates applied? Can the system be re-imaged?
  5. Recovery. In this phase, we will go through different questions: When can systems be returned to production? Have systems been patched, hardened and tested? Can the system be restored from a trusted back-up? How long will the affected systems be monitored and what will we look for when monitoring? What tools will ensure similar attacks will not reoccur?
  6. Lessons Learned. In this phase, we will go through different questions: What changes need to be made to the security? How should employee be trained differently? What weakness did the breach exploit? How will we ensure a similar breach doesn’t happen again?

Penetration Testing

Amalia undergoes grey box penetration testing conducted by an independent, third-party agency, on an annual basis. For grey-box testing, Amalia provides the agency with an isolated clone of amalia.io, a user access to the system and a high-level diagram of application architecture.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. Amalia will provide a summary of penetration test findings upon request to Enterprise customers.


Business Continuity and Disaster Recovery

High Availability

Every part of the Amalia service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

Amalia keeps daily encrypted backups of data in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Disaster Recovery

In the event of a region-wide outage, Amalia will bring up a duplicate environment in a different Google Cloud Platform region. The Amalia operations team has extensive experience performing full region migrations.

RTO & RPO

Our Recovery Time Objective (RTO) is 4 hours.

Our Recovery Point Objective (RPO) is 24 hours.

Data Flow

Encryption

Each data bit stored by Amalia is encrypted according to the most demanding standards (AES-256). We also use the TLS 1.2 encryption with RSA keys of 2,048 bits for all data in transit.

Amalia’s latest SSL Labs Report can be found here (connexion marked as "A+" by Qualys - SSL Labs).

Multi Tenant

With Multi Tenant Architecture, your resources and liabilities are not shared with other tenants as your data at rest remains isolated.

Security of the Amalia application

Safe authentication and user management

Allowing employees to log-in using company credentials from a single and central directory: SAML2, LDAP, OAuth 2, Active Directory, and others upon request.

Amalia authentification system relies on Auth0.com

Audit Controls

We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All Amalia customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed.

Membership within Amalia is handled at the organization level. Each Amalia user should have their own account and can choose their own personal preferences and notifications settings. Access to organizations is dictated by role:

  • Admin
  • Manager
  • Member

For any organization on a Amalia plan, the project administration portal is the hub for seeing and managing users and usage. The member list includes the username, email, status, added date, teams, and role for each user. The admin or owner can revoke access by organization, or team and change the user role. Additionally, the admin can request login and password history and revoke passwords and active sessions for any user via request to Amalia Support.

Secure Application Development

Each day, new versions are deployed on the Amalia platform. We are constantly delivering secure upgrades. Each version incorporates the most limited scope possible in order to mitigate risks. We implement progressive upgrade deployments in order for each new version of the application to be tested before online visitors are introduced to it. In case of a problem with the newly deployed version, the automated verification system will cancel it, preventing visitors from seeing it.

Corporate Security

Security Policies

Amalia maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Amalia Enterprise customers upon request:

  • Information Security
  • Risk Management
  • Security Incident Response
  • Vulnerability Management
  • Policy Management and Maintenance
  • Data Request
  • Change Management
  • System Access

Security Training

All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training.

All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation. Any change to policy affecting the product is communicated as a pull request, such that all engineers can review and contribute before internal publication. Major updates are communicated via email to all Amalia employees.

Drive your company's growth with Amalia