Security Controls

Auto Scaling

Our infrastructure auto-scales to maintain high availability and support demand

Backups and monitoring

On an application level, we produce audit logs for all activity, ship logs to ELK for analysis and use Azure storage for archival purposes. All actions taken on production consoles or in the Octocom application are logged.

Denial of Service (DoS) Protection

Octocom has measures to protect against Denial of Service (DoS) attacks.

Disaster Recovery

Octocom was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 Azure availability zones and will continue to work should any one of those data centers fail.

Embargoed Countries Respected

We block access to our product from an embargoed country based on the IP of the user.

Least privilege

Azure Security Groups employed for our infrastructure are baselined regularly to maintain least privilege. IAM roles granted to Octocom employees for our Azure production environment are baselined on a regular basis to maintain least privilege.

Network segmentation

Network segmentation is implemented to separate sensitive systems and data from general user access networks.

Real-time monitoring and detection

An endpoint monitoring tool / agent is deployed on all endpoints (corporate and production) to provide real-time monitoring, detection, and automated response to threats.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Background checks

Octocom performs background checks on all new employees in accordance with local laws.

Employee confidentiality

All employee contracts include a confidentiality agreement.

Endpoint encryption

All corporate devices are encrypted to protect data in case of loss or theft. They can be remotely wiped to prevent data leakage if a device is compromised or lost.

Endpoint management

We push updates to employee laptops such that they are on the latest, patched version of their required operating system. We require the use of a managed browser with only an approved set of browser extensions to ensure that only devices meeting our security standards can access our IDP and the applications secured by it. This control ensures that access to critical systems is restricted to compliant and secure devices, enhancing our overall security posture.

Endpoint protection

All corporate laptops are configured with endpoint protection (EPP) with procedures in place to ensure infected machines cannot access our systems.

Mandatory security awareness training

All employees undergo mandatory security awareness training on an annual basis. Certain higher risk roles go through additional training specific for their role and its associated risks, annually.

Anti-abuse

Sign-ups to the Octocom product are fingerprinted, assessed for risk, and blocked or allowed to continue as necessary.

Customer Best Practices

There are security features you can leverage to increase the security of your Octocom workspace.

Customer Data Portability

Customers can easily export and delete their data in compliance with GDPR and other data protection regulations.

Data Retention and Disposal Policies

Workspace data is deleted within 30 days of a workspace being electively deleted by its teammates. Workspaces and all related data are deleted after 180 days of inactivity.

Encryption

Octocom is served 100% over https. All data sent to or from Octocom is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Multi-tenancy data protections

Safeguards are in place such that data from one Octocom workspace can never be used or displayed within another workspace.

Permissions

We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, user data or the ability to send or edit messages.

Product inbound email scanning

We scan the content of all inbound email into the Octocom app to limit the chances of customers receiving spoofed email, malware, or phishing attempts in their inbox.

Upload scanning

Teammates and owners of an Octocom workspace can see the critical and breaking changes performed by teammates on their workspace.

SSO & 2FA

You can configure Octocom with SAML Single Sign-on (SSO) using Okta, OneLogin or another identity provider. We also provide support for Google SSO. If you’re using password-based authentication, you can turn on 2-factor authentication (2FA). More details on our docs.

Password complexity

Octocom enforces a password complexity standard and credentials are stored using a PBKDF function (bcrypt).

Code Review

Each pull request to the Octocom code repositories must undergo a peer review before it can be accepted and merged.

Incident Response Coverage

A member of the security team is always online and checking for alerts either through general on-call or outside hours coverage.

Incident Response Process

Octocom implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies. Security incidents and assumed security breaches are reported to relevant authorities as necessary.

On-call coverage

A member of engineering is on-call 24/7 to respond to alerts and pages. They can escalate directly to a security team member as needed.

Security Policies

Octocom has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Encryption at rest

We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Customer Data Portability

Customers can easily export and delete their data in compliance with GDPR and other data protection regulations.

Data Retention and Disposal Policies

Workspace data is deleted within 30 days of a workspace being electively deleted by its teammates. Workspaces and all related data are deleted after 180 days of inactivity.

Employee access control policies

Access to customer data is limited to authorized employees who require it for their job. Any exceptional access to customer data happens with the consent of customers and has to be reviewed by the manager of the employee's engineering team thereafter, supplying a business need.