Security Best Practices
Learn about the security practices with regards to cloud infrastructure
Data Storage | Confidentiality & Security Controls | Monitoring & Logging
Cloud Hosting, Architecture and Configurations
Applicable to customers on any plan
This document outlines a curated set of proven best practices designed to prevent security incidents in data app builders like Cliosight.
This is not the final version of this document. Once we start operating at a significantly large scale, we will align with prevailing industry standards such as SOC 2 Type 2, or any successor or superseding standard.
We take the security of your data very seriously at Cliosight.
If you have additional questions regarding security, we are happy to answer them.
Please write to support@cliosight.co.in and we will respond as quickly as we can.
This Security Best Practices page describes the administrative, technical and physical controls applicable to
Cliosight's data app builder and customizations provided as a paid IT service.
Cloud-Based Services
All Cliosight services are operated on a multitenant architecture at both the platform and infrastructure layers that is designed to segregate and restrict access to any applications, workflows or processes you and your users build using the Cliosight services. This infrastructure is provided and hosted by Amazon Web Services, Inc. ("AWS"). Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on SOC reports, is available from the AWS Compliance website.
Dedicated Hosting Services
For dedicated hosting services available to our Enterprise customers, data apps are hosted using our cloud infrastructure or on-premises — so that you and your users can build data application widgets in ours or your own virtual private cloud (VPC) or behind your virtual private network (VPN). In provisioning a self-hosted account of the Cliosight services, our self-hosted image is built with the latest upstream version of Debian with the latest security patches, and updates on a daily-basis. This is a long-term provision and not available in the coming months.
Database, Query and Workflow Configurations
Whether using Cliosight's cloud-based or self-hosted database services, you and your users may submit data and content to your apps ("Customer Data"), for example by querying a database or automating a workflow. You have the option to build and use custom apps without connecting them to any in-built database, or alternatively, you have the ability to connect these apps to your own databases, or databases hosted by third parties.
Storage of Customer Data
Cliosight Cloud Services
Cliosight's storage of Customer Data primarily depends on whether you connect a data app to a database provided by Cliosight, in which case Cliosight will store Customer Data using third-party infrastructure. When you instead connect a app to your own database or data resource or that of a third party, Cliosight does not store Customer Data but rather proxies requests to that database and applies the credentials server-side. The Cliosight services are architected this way because having the end-user's browser connect directly to the database would require you to provision every user individually, rather than just the Cliosight server, which would potentially expose credentials. Other features, functionality, and products of the Services may also require Cliosight to store Customer Data.
Dedicated Servers and External Datasources
If you use on-premise deployment of Cliosight, no systems store Customer Data and no Cliosight personnel have technical or logical access to that data. Only Usage Information (as defined in the Agreement) is shared with us. As mentioned, this is a long-term scenario and not available in the coming months.
Confidentiality and Security Controls
Confidentiality
Cliosight places strict controls over its employees' access to custom apps and any associated Customer Data. The operation of the Cliosight services requires that some employees have access to the systems which store or process this information and data. For example, in order to diagnose a problem you are having with our services, we may need to access your account. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to your account is logged. All of our employees are bound to our policies regarding confidentiality and we treat these issues as matters of the highest importance within our IT services provider.
Protection of Customer Data
While the protection of Customer Data is a joint responsibility between you and Cliosight,
Cliosight will implement and maintain appropriate technical and organizational measures designed to
protect your
Customer Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure
when stored or
processed using the Cliosight services. The Cliosight services have a number of security controls, including
but not limited to:
Audit logging. Detailed audit logs are available to administrators
(admin) of your account if you are on the Professional or Enterprise plan.
We log every time an account signs in, noting the type of device used and the IP address of the
connection.
Admins can review consolidated access logs for their whole team. More information about access logging
is available in our documentation.
Access Management. Admins can remotely disable users authenticated to
the Cliosight services, on demand. More information about access management is available in our
documentation.
Host Management. We will perform automated vulnerability and malware
scans on our production hosts and platform endpoints, and promptly triage or remediate any findings that
present a risk to our environment.
We enforce screen lock-outs and the use of full disk encryption for company laptops.
Network Protection. In addition to sophisticated system monitoring
and logging, we will implement two-factor authentication for all server access across our production
environment.
Firewalls are already configured according to industry best practices, using AWS security groups,
network segmentation, and real-time intrusion monitoring.
Product security practices. New features, significant functionality,
and design changes go through a security review process facilitated by the security team.
In addition, our code is audited with automated static analysis software, tested, and manually
peer-reviewed prior to being deployed to production.
The security team works closely with development teams to resolve any additional security concerns that
may arise during development.
Cliosight will also operate a vulnerability disclosure program, as soon as we receive support.
Security professionals will continuously test the security of the Cliosight services, and report issues
via the beta tester program.
Data Encryption
The Cliosight services use industry-accepted encryption products to protect Customer Data during transmissions between your network and the Cliosight services, and when at rest. The Cliosight services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. Cliosight monitors the changing cryptographic landscape closely and works promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, Cliosight does this while also balancing the need for compatibility with older datasources.
Reliability, Backup, and Business Continuity
Cliosight is committed to making it a highly available service that you can rely on. The infrastructure Cliosight uses for delivering the services run on systems that are fault-tolerant, for failures of individual servers or even entire data centers. Cliosight's operations team tests disaster recovery measures regularly and has a 24-hour on-call team to quickly resolve unexpected incidents. Cliosight performs regular backups, facilitates rollbacks of software and system changes when necessary and will replicate of data as needed, once we are well placed. Customer Data, when stored by Cliosight, is done so redundantly in multiple locations in our hosting provider's data centers to ensure availability. Cliosight has well-tested backup and restoration procedures which allow recovery from a major disaster. Customer Data, Custom Apps and our source code are automatically backed up every night and stored for seven days. The operations team is alerted in the event of a failure in this system. Backups are stored for seven days in the event of a catastrophic failure and fully tested at least every 90 days to confirm that Cliosight's processes and tools work as expected.
Portability of Custom Apps
During the term of a subscription, your admin may import and export data apps, as further described in our template on Data Engineering, but please be advised that there may be technical constraints to such portability and any subsequent compatibility and utility. Also this is a premium feature that will be available in a later version of the product.
Return of Customer Data
Within 30 days post contract termination, you may request return of Customer Data stored by Cliosight (to the extent such data has not already been deleted by you). Information about the export capabilities of the Cliosight services can be found by reaching out to our data protection team at support@cliosight.co.in.
Deletion of Custom Apps and Customer Data
The Cliosight services provide the option for administrators to delete Custom Apps and all associated Customer Data stored by Cliosight at any time during a subscription term. Within 24 hours of administrator-initiated deletion, Cliosight hard deletes all Custom Apps and Customer Data from currently running production systems. Cliosight-maintained backups of services and data are destroyed within 30 days (backups are destroyed within 30 days, except that during an on-going investigation of an incident such period may be temporarily extended).
Monitoring, validation, and practices
Certifications
Cliosight will align with prevailing industry standards such as SOC 2 Type 2, or any successor or superseding standard once we start operating at a significantly large scale.
Audits
To verify that our security practices are sound and to monitor the services for new vulnerabilities discovered by the security testing community, the Cliosight services will undergo security assessments by internal personnel, and for the Cliosight services by respected external security firms who perform regular audits of our services. In addition to periodic and targeted audits of the Cliosight services, we also employ the use of continuous hybrid automated scanning of our web platform at a later time.
Intrusion Detection
Cliosight or an authorized external entity, will monitor all our services and endpoints. Endpoints are monitored through continuous malware and anomaly detection. Cliosight-hosted cloud environments are logged and alerted 24/7 for suspicious or known malicious activity using AWS security services. Logs are also reviewed manually at least every 90 days.
Security Logs
Systems used in the provision of the services log information to their respective system log facilities or a centralized logging service
(for network systems) in order to enable security reviews and analysis. Cliosight maintains an extensive centralized
logging environment in the production environment which contains information pertaining to security, monitoring, availability,
access and other metrics about the services. These logs are analyzed for security events via automated monitoring software, overseen by the security team.
Incident Management: Cliosight maintains security incident management policies and procedures.
Cliosight notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by
Cliosight or its agents of which Cliosight becomes aware to the extent permitted by law.
Cliosight typically notifies customers of significant system incidents by email.
Personnel Practices
Cliosight conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Cliosight services.