Infrastructure & Data Center Security
Vizdum’s product is hosted with the world’s leading data center providers. We ensure that the machines within the Vizdum infrastructure are protected from the ground up. We use Amazon Web Services (AWS) for our hosting. AWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built in. Cloud security at AWS is job zero. All AWS customers benefit from a data center and network architecture built to satisfy the requirements of the most security-sensitive organizations.
Access to these data centers is strictly controlled and monitored using a variety of physical controls, intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centers by Amazon employees is authorized strictly on a least privileged basis and is logged and audited routinely.
AWS maintains an impressive list of reports, certifications and independent assessments - including ISO 9001, PCI DSS Level 1, SOC1, SOC2, SOC3, the EU Data Protection Directive (Directive 95/46/EC) among others - to ensure complete and ongoing state-of-the-art data center security. They've devoted an entire portion of their site to explaining their security measures and compliance certifications.
Vizdum employees do not have physical access to our servers in AWS. Electronic access to AWS servers and services is restricted to a core set of approved Vizdum staff only through strict AWS Identity & Access Management (IAM) rules.
Network / Access Security
All servers are firewalled to permit the minimum traffic necessary to run the service. Server machines are further hardened to lock down all the ports allow inbound access only through specific ports to the public. The remote connectivity is allowed over restricted network address trusted by Vizdum.
AWS uses network devices, including firewall and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL) and configurations to enforce the flow of information to specific information system services.
AWS security monitoring tools help identify several types of denial of service (DoS) attacks including distributed, flooding and software/logic attacks. The AWS network provides significant protection against traditional network security issues such as — DDoS attacks, MITM attacks, IP spoofing, Port scanning, Packet scanning, etc.
In addition to monitoring, regular vulnerability scans are performed on the host operating system, web application and databases in the AWS environment using a variety of tools. Also, AWS security teams subscribe to newsfeeds for applicable vendor flaws and proactively monitor vendors’ websites and other relevant outlets for new patches.
Alerts for any potential threats are escalated to the Vizdum engineering team.
Product & Application Security
We have implemented strong encryption via advance TLS 1.2 throughout our application. By using encryption, we minimize the chances of someone possibly intercepting username-password combinations and/or other sensitive information.
We adhere to industry best practices throughout the code lifecycle to prevent gaps in the security policy of the application and the underlying systems and to prevent common web attack vectors. We always thoroughly test new features in order to rule out potential attacks such as CSRF, XSS, SQL injections, among others.
Automated static code analysis, using an industry-leading solution, alongside human review ensures development best practices are implemented across our thousands of monthly code pushes.
Vizdum also maintains a robust application audit log & alerting to include security events such as user log in and configuration changes.
We constantly improve our security policies as the threat landscape changes. Our engineering team continuously monitors ongoing security, performance and availability. We subscribe to all relevant security bulletins so that we can promptly address any security issues in the software we use.
When a potential security vulnerability is reported, it is handled with the highest priority until properly addressed.
Our infrastructure is hosted over Amazon AWS which operates state-of-the-art, highly-available data centers. Amazon AWS services are hosted in multiple locations world-wide. These locations are composed of regions and Availability Zones. Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Amazon AWS provides you the ability to place resources, such as instances, and data in multiple locations.
Through AWS configuration we ensure 99.95% monthly uptime to customers. To avoid Single Point of Failure in the Web/App layer it is a common practice and we have adopted the same, to launch our Web/App layer in EC2 instances web form, spanning in multiple availability zones connected through low-latency network links. This is fault tolerant than the single EC2 instance design and offers better application stability.
We also use the Elastic IP addresses to mask the failure of an instance in one Availability Zone by rapidly remapping the address to an instance in another Availability Zone.
Data Redundancy & Backups
Although rare, failures can occur that affect the availability of data repositories that are in the same location. To avoid such failures we do have replicated our data repositories into multiple availability zones in different regions. We ensure that all customer data is replicated and regularly backed up.
All the downtime or maintenance announcements has been made to the customers at the landing page of the application; also been displayed in the announcement section of the Vizdum’s site.
Data & Privacy Protection
Passwords are filtered from our logs and are one-way encrypted in the database using the bcrypt (salted) hash function. Login information is always sent over SSL.
Vizdum cannot view any of your credentials, so much so that if you lose your password, it must go through the reset procedure for your account to be accessible again.
Third-Party Service User Credentials
We store the configuration details for your connections (integration) to the various third-party services. The service provider passwords, OAuth tokens and third-party API keys are encrypted with a per-user salt and stored in our database. You can completely revoke Vizdum's access to a service at any given time.
Widgets Data Protection
Once a widget is created, we only store the configuration options needed to drive the widget.
Since we provide the data archiving services to the user we do store user data aggregates such as website hits from Google Analytics, number of Facebook likes, data fetched in using custom widgets and so on. We store all such data into Amazon DynamoDB which is very strictly secured through identity-based permissions policies.
Fine Grained Access Control (FGAC) gives a DynamoDB table owner a high degree of control over data in the table. Specifically, the table owner can indicate who (caller) can access which items or attributes of the table and perform what actions (read / write capability). FGAC is used in concert with AWS Identity and Access Management (IAM), which manages the security credentials and the associated permissions.
All Vizdum web application communications are encrypted over TLS 1.2 which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions (which is why your dashboard, for instance, is served over HTTPS).
Payment / Transaction Security
When you purchase a paid Vizdum subscription, your credit card data is not transmitted through nor stored on our systems. All of Vizdum’s credit card processing is handled securely by Stripe - a company dedicated to this task. Stripe is a technology company that allows both private individuals and businesses to accept payments over the Internet. Stripe focuses on providing the technical, fraud prevention, and banking infrastructure required to operate online payment systems .
Vizdum ensures that all the customers’ data will be swiftly erased from the system upon the termination or at the end-of-service. The data erase will take place within the specified period of time in SLA.
Security and Privacy Features Available in Vizdum
The highest security risk to any system is usually the behavior of its users. We provide you with the tools you need to protect your own data. These Vizdum features have been designed keeping in mind stringent, enterprise-level security requirements.
User and Admin Account Security
We provide a role-based administration system for user accounts. There are 2 roles: read-only user and admin; each with different permissions. More details on read-only user and admin accounts.
Dashboard URL Security
Dashboard URLs are generated using a cryptic hash and are impossible to guess. Thus, access to even publicly shared dashboards is virtually impossible without explicit access to the Sharing URL.
Using Vizdum from behind firewalls
Vizdum is a cloud-based SaaS service designed to work out of the box from behind firewalls and proxies. Therefore, your existing security is left altogether intact.
In case of very strict firewalls, or for integrations and custom widgets that require access to protected resources within your network, please whitelist Vizdum's IP addresses. This will ensure seamless access to Vizdum and all of its functionality.
Employee Access and Security
We regard your business metrics as private and confidential to your team.
Our production environment is completely separate from the other environments - including development and QA. AWS provides sophisticated Identity Access Management (IAM) to control access to its resources. Individually identifiable RSA key pairs are used for SSH access and root login is disabled. This ensures a complete audit trail from an action back to the specific individual who triggered that action.
Vizdum employees are granted access to systems and data based on their role in the company or on an as-needed basis.
Access to customer data by Vizdum employees is only used to assist with support and to resolve customer issues. For such cases we will get your explicit consent each time. Violation of this policy is a serious matter requiring investigation and appropriate disciplinary action up to and including termination as well as legal action.
When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue.