LAST REVIEWED AND UPDATED SEPTEMBER, 2023
We take data security seriously, and Vind AI is committed to deliver a platform that meets the needs of our customers and the industry. Data security includes access control, authentication and authorization, how your data is secured against fraud and attacks, the physical security of hardware, and organizational policies and procedures. We want you to take full advantage of what web based software enables in terms of productivity and usability, which is why data security has top priority.
We are cognizant that as of this time, we do not possess a SOC-2 or comparable certification. Please note that this absence does not reflect a lack of security rigor, but rather is indicative of our current phase of growth and maturity. In order to reinforce our commitment to safeguarding data and maintaining high standards of security, we meticulously select and use only third-party services that are compliant with SOC-2 and ISO2700x standards. For instance, integral components of our infrastructure, such as Amazon Web Services (AWS), GitHub, Auth0, and Ably, all meet these stringent standards, ensuring that they, too, embody our unwavering commitment to maintaining robust security standards.
The Vind AI platform safeguards customer data using a variety of mechanisms:
Databases that persistently store customer data are hosted by AWS and located in the EU (Ireland), specifically in the eu-west-1 region. The data center in use is SOC 1, SOC 2 and SOC 3 compliant.
A server-side encryption is activated for all customer data in the data center, using AES-256 encryption standard, fully managed by AWS. Vind AI also ensures that backup strategies are in place, available at least 30 days back in time. Backups are fully managed by AWS, with point-in-time recovery enabled. This means there is little to no uncertainty in the quality of the backups.
For information on AWS Security and Compliance, refer the following links:
All data and communication with our services in AWS data centers are sent over HTTPS and encrypted in transit. Our APIs are well protected with authorization schemes, tested by third party consultants specializing in penetration testing. Data flows from the APIs to the data bases where it is encrypted at rest. Data from different Teams and Projects are logically separated.
We have support for SSO with SAML and Azure AD/Entra ID. Read more about that here.
Vind AI uses token-based authorization, implemented with trusted tools and with best practices including all available measures to ensure safe operations. In order to access the system the user needs to be authenticated. The authentication process is handled by Auth0, a recognized 3rd party provider holding the highest certifications like SOC 2 and ISO27001. Once authenticated, the user is given a JWT-token which is valid for 10 minutes. The token contains user authorization information which is used in our authorizer systems which restricts access to data on either team level or project level. After 10 minutes, a refresh token is used to ask for a new JWT-token. This refresh token is only valid for the specific device, once, and we utilize the mechanisms of Auth0 to automatically detect if tokens are leaked – what Auth0 denotes as Refresh Token Rotation (RTR). Admin users can add and remove users from Teams and Projects – the access role will be updated within 10 minutes, ensured by the short-lived JWT tokens, and use of RTR.
Vind AI implements measures at many levels to ensure that potential threats are detected:
We have several functions to ensure that any changes to our IT systems do not introduce new vulnerabilities. We use CodeQL and GitHub for code scanning (SAST). Changes to the application are also tested by peers during internal reviews before being released to production. We test the Vind application, support systems, backends and authorization system automatically using e.g. Checkly to detect and notify us about any issues with the system.
Every application undergoes a risk assessment. Each resource used by the application is scrutinized and potential attack vectors are assessed and minimized. This can include restricting access to specific sub resources (least privilege) to decrypting security tokens at runtime instead of storing them as environmental variables. The risk assessment is done continuously in order to reflect the assessment with changes to the application. Applications are run on a hardened host by default by AWS.
In the event that a vulnerability is exploited, we have an incident response plan in place to quickly contain and rectify the issue. This includes communication plans to notify any affected parties as necessary. Vind implements the NIST Incident Response Framework which includes the following phases:
Our team takes a proactive, systematic approach to identifying and managing information security vulnerabilities in our IT systems. Here is an overview of our processes:
New employees are introduced to our internal security routines for safe development, handling of confidential information, securing their laptops, use of password management tools and multi-factor authentication.
Vind AI stores all personal information in compliance with GDPR. See our privacy notice for details here.
This document is for informational purposes only and represents Vind AI’s current product offerings, which are subject to change. The responsibilities and liabilities of Vind AI to its customers are controlled by Vind AI’s agreements, and this document does not create any warranties, representations, contractual commitments, conditions, or assurances from Vind AI, its affiliates, suppliers, or licensors.