Data and code security are a top priority for Zeitworks’ technology and operations veterans. We take every measure to ensure customer data is secure, preventing all unauthorized access. Zeitworks is committed to a policy of transparency about our security practices and measures and welcomes all inquiries into our policies, methods, and configurations.
Zeitworks's security program is led by our CTO and is based on an approach that takes security into consideration in all of our technical and organizational activities. The CTO is supported by all members of the organization, who help ensure that we develop effective defense-in-depth security practices.
All Zeitworks customer data is encrypted at rest and in motion. In motion encryption is provided by the use of TLS 1.2 or 1.3 for all connections to our web servers and from our servers to other servers accessed via APIs. In addition, all communication from our web servers to data stores is encrypted using TLS 1.2 or 1.3. We employ the latest recommended secure cipher suites where possible. TLS 1.3 and TLS 1.2 are enabled on systems where 1.3 is currently available, otherwise only TLS 1.2 is enabled.
At rest encryption is provided for all data using built-in AWS disk encryption for S3, EBS, and RDS. Additionally, sensitive data that we detect as part of our service is additionally encrypted using AWS Key Management System with the AES-256-GCM algorithm before being persistently stored.
Customer data is retained based on customer preferences. This time period may be modified based on specific customer agreements. We delete customer data from production systems within one day of the request. Backups of this deleted data will age out on a schedule of 30 days. AWS is responsible for ensuring removal of data from physical disks is performed in a responsible manner before they are repurposed.
All customer data is hosted in our AWS production environment in the US. Customer data never leaves this secure AWS production environment. All data operations are required to be conducted within restricted areas of the private cloud and VPN.
As part of our architecture, we trigger a redaction process as soon as your data arrives in our environment. This redaction detects a wide range of sensitive data, including PII, passwords, and credit card numbers. Data that is passed downstream for further processing has had this sensitive data redacted.
In addition to text data, we have a process that provides the same protection for sensitive data in screenshots. This system detects and redacts sections of the image that we determine contain sensitive data as soon as the image enters our system.
[Q3 2022] We’re componentizing the redaction system and designing the capability to run the redaction on a server supplied by the customer, inside their perimeter, ensuring no sensitive data leaves the customer’s premises or secure cloud environment.
Each customer's sensitive data is stored logically separate from other customers’ data. Unique data store access credentials and encryption keys are created for each customer.
We received SOC 2 Type 1 Certification on July 1st, 2022, and are currently engaged in obtaining SOC 2 Type 2 Certification. The SOC 2 Type 1 report is available to applicable parties on demand.
Zeitworks uses AWS Key Management Service and AWS Secrets Manager to manage programmatic encryption keys and secrets, and AWS IAM to manage user and programmatic access keys. Keys and secrets are rotated on a regular basis based on current industry best practice timelines.
We maintain separate AWS Organization accounts for our production and development environments. In addition, our production environment is segregated into multiple Virtual Private Clouds (VPCs) to isolate Internet-facing services from internal data stores and data processing services. Only a limited set of personnel have access to the production environment. Direct access to production data servers is protected by a VPN and IP-address firewall rules.
Network access to our production environment is also restricted, with only a small number of front-facing web load balancers accessible from the Internet. Only protocols necessary for the delivery of our service to our users are open at the perimeter.
All user access to Zeitworks systems is subject to the principle of least privilege and requires multi-factor authentication (MFA). We provision AWS IAM groups and roles with only the specific policies required for the user or system to perform its function.
Zeitworks employees who interact with your data must be specifically screened and authorized to do so.
We perform regular scans of our codebase and our AWS environments for vulnerabilities or misconfigured systems. These scans are performed using a mix of GitHub- and AWS-provided tools as well as third-party tools and internally-developed code. Remediation of discovered vulnerabilities occurs on a regular basis.
Our technical team rapidly investigates all reported security issues.
Zeitworks has comprehensive monitoring and compliance processes in place.
We perform monthly reviews of all user service accounts for acceptable password rotation and implementation of MFA. We also monitor accounts for anomalous access patterns.
We employ network monitoring and alerting technologies to detect anomalous network traffic in our AWS environments. Zeitworks also implements AWS Config for detecting unauthorized configuration changes in AWS.
We perform regular checks for compliance with internal policies such as our Acceptable Use Policy, Change Management Policy, Data Management Policy, and Patch Management Policy. We also conduct regular reviews of these policies to determine if they should be updated.
Every employee at Zeitworks undergoes security training as part of their onboarding process. Refresher training is held on a yearly basis for all employees. Technical staff undergo additional training in secure software development practices.
All Zeitworks employees are required to undergo and pass a security background check.
All Zeitworks customer data resides in our AWS production environment. Physical protections are entirely provided by AWS. AWS provides detailed information about their data center controls.
If at any time you have questions or concerns regarding the safety of your data, please contact our security team: firstname.lastname@example.org.
Last revised: July 1st 2022