Security Controls
Octocom measures and policies for maintaining high security standards
| Item | Description |
|---|
| Auto Scaling | Our infrastructure auto-scales to maintain high availability and support demand |
| Backups and monitoring | On an application level, we produce audit logs for all activity, ship logs to ELK for analysis and use Azure storage for archival purposes. All actions taken on production consoles or in the Octocom application are logged. |
| Denial of Service (DoS) Protection | Octocom has measures to protect against Denial of Service (DoS) attacks. |
| Disaster Recovery | Octocom was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 Azure availability zones and will continue to work should any one of those data centers fail. |
| Embargoed Countries Respected | We block access to our product from an embargoed country based on the IP of the user. |
| Least privilege | Azure Security Groups employed for our infrastructure are baselined regularly to maintain least privilege. IAM roles granted to Octocom employees for our Azure production environment are baselined on a regular basis to maintain least privilege. |
| Network segmentation | Network segmentation is implemented to separate sensitive systems and data from general user access networks. |
| Real-time monitoring and detection | An endpoint monitoring tool / agent is deployed on all endpoints (corporate and production) to provide real-time monitoring, detection, and automated response to threats. |
| Virtual Private Cloud | All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network. |
| Item | Description |
|---|
| Background checks | Octocom performs background checks on all new employees in accordance with local laws. |
| Employee confidentiality | All employee contracts include a confidentiality agreement. |
| Endpoint encryption | All corporate devices are encrypted to protect data in case of loss or theft. They can be remotely wiped to prevent data leakage if a device is compromised or lost. |
| Endpoint management | We push updates to employee laptops such that they are on the latest, patched version of their required operating system. We require the use of a managed browser with only an approved set of browser extensions to ensure that only devices meeting our security standards can access our IDP and the applications secured by it. This control ensures that access to critical systems is restricted to compliant and secure devices, enhancing our overall security posture. |
| Endpoint protection | All corporate laptops are configured with endpoint protection (EPP) with procedures in place to ensure infected machines cannot access our systems. |
| Mandatory security awareness training | All employees undergo mandatory security awareness training on an annual basis. Certain higher risk roles go through additional training specific for their role and its associated risks, annually. |
| Item | Description |
|---|
| Anti-abuse | Sign-ups to the Octocom product are fingerprinted, assessed for risk, and blocked or allowed to continue as necessary. |
| Customer Best Practices | There are security features you can leverage to increase the security of your Octocom workspace. |
| Customer Data Portability | Customers can easily export and delete their data in compliance with GDPR and other data protection regulations. |
| Data Retention and Disposal Policies | Workspace data is deleted within 30 days of a workspace being electively deleted by its teammates. Workspaces and all related data are deleted after 180 days of inactivity. |
| Encryption | Octocom is served 100% over https. All data sent to or from Octocom is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm. |
| Multi-tenancy data protections | Safeguards are in place such that data from one Octocom workspace can never be used or displayed within another workspace. |
| Permissions | We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to send or edit messages. |
| Product inbound email scanning | We scan the content of all inbound email into the Octocom app to limit the chances of customers receiving spoofed email, malware, or phishing attempts in their inbox. |
| Upload scanning | Teammates and owners of an Octocom workspace can see the critical and breaking changes performed by teammates on their workspace. |
| SSO & 2FA | You can configure Octocom with SAML Single Sign-on (SSO) using Okta, OneLogin or another identity provider. We also provide support for Google SSO. If you’re using password-based authentication, you can turn on 2-factor authentication (2FA). More details on our docs. |
| Password complexity | Octocom enforces a password complexity standard and credentials are stored using a PBKDF function (bcrypt). |
| Item | Description |
|---|
| Code Review | Each pull request to the Octocom code repositories must undergo a peer review before it can be accepted and merged. |
| Incident Response Coverage | A member of the security team is always online and checking for alerts either through general on-call or outside hours coverage. |
| Incident Response Process | Octocom implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies. Security incidents and assumed security breaches are reported to relevant authorities as necessary. |
| On-call coverage | A member of engineering is on-call 24/7 to respond to alerts and pages. They can escalate directly to a security team member as needed. |
| Security Policies | Octocom has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees. |
| Item | Description |
|---|
| Encryption at rest | We also encrypt data at rest using an industry-standard AES-256 encryption algorithm. |
| Customer Data Portability | Customers can easily export and delete their data in compliance with GDPR and other data protection regulations. |
| Data Retention and Disposal Policies | Workspace data is deleted within 30 days of a workspace being electively deleted by its teammates. Workspaces and all related data are deleted after 180 days of inactivity. |
| Employee access control policies | Access to customer data is limited to authorized employees who require it for their job. Any exceptional access to customer data happens with the consent of customers and has to be reviewed by the manager of the employee's engineering team thereafter, supplying a business need. |
