Security
Security is the heart of what we do for our customers. Naturally, we care deeply about our own security and compliance. Ariksa is SOC2 Type II certified based on its continuous enforcement of controls through technology, people and processes that are required to ensure the security of our operating environments – from development to production.
Our approach to security, governance and risk management is largely driven by our own philosophy of proactive controls and secure by default. To that end, we implement the following:
LEAST PRIVILEGE MANAGEMENT
We implement least privilege management for all employees and throughout the software lifecycle from development to productions. Our product follows this principle for every feature so that permissions are constrained and purpose driven. Our employees and developers are subject to RBAC and/or ABAC rules. Levels of access are granted on a need-only basis with least privileges that alsoenforce separation of duties.
NETWORK SECURITY
Ariksa's production services use leading Cloud Service Providers (CSP) such as AWS and Google Cloud. We use CSP’s virtual private cloud (VPC) to protect our network perimeter in addition to web application firewalls and other network security controls that restrict inbound and outbound traffic. Ariksa web traffic sent over the public internet is encrypted in transit using TLS v1.3.
VULNERABILITY MANAGEMENT
All code including third-party libraries and packages are periodically scanned for vulnerabilities. We practice secure software development with code reviews and code scanning tools to proactively merge patches to vulnerabilities early in the software lifecycle. Additionally, our container and virtual machines packages used by customers are scanned periodically to patch vulnerabilities.
API SECURITY AND ACCESS
We ensure that our APIs follow modern best practices for authentication and authorization. API calls are authenticated using shortlived credentials with frequent rotation of credentials to prevent credential misuse or breach.
DATA PROTECTION
Our team implements cryptographic controls when processing and storing data and perform encryption in accordance with industry standards. All encryption for data at rest is performed with AES-256. Data backups are performed on a daily and weekly basis and all backups are encrypted. All API traffic and data in motion is encrypted using TLS v1.3.
RESPONSIBLE DISCLOSURE PROGRAM
We treat the security of our customers very seriously, which is why we carry out rigorous testing and strive to write secure and clean code. Despite our meticulous testing and thorough QA, sometimes bugs occur. For this reason, we encourage the community to responsibly disclose any bugs or issues. Please send reports to security@ariksa.com.