Security Overview

Infrastructure Security

• Our infrastructure is hosted on AWS in the us-east-1 region across three availability zones.
• By default we block all traffic at a network level and only open specific ports as required to deliver the ClearFeed service.
• Any escalated access to infrastructure requires VPN or a whitelisted IP with 2-factor authentication.
• We use AWS GuardDuty to detect unsual traffic and unauthenticated access to our critical systems.
• Host-based intrusion detection systems are in active use.

Data Encryption

• All critical data that we store is encrypted at rest and in transit.

Failover and disaster recovery

• All of our production infrastructure is built with redundancies in place, in highly-available configurations spread over three different availability zones in the us-east-1 AWS region.
• We have a disaster recovery plan which is reviewed every 6 months and a tabletop exercise is conducted by the management to verify that the plan is up to date.

Inventory and configuration

• Infrastructure is kept as code using Terraform, and other infrastructure-as-code tools with changes going through a process very similar to the application-level software development process. We make use of separate infrastructure for development, staging and live environments, with no sharing of data between environments.

Identity and Access Control

• Access to all of our critical systems require 2FA authentication to sign in.
• Access to customer data is limited to authorized employees who require it for or operational and maintenance activities.
• Access to sensitive production data is limited to just the devops team.

Monitoring and logging

• We do extensive monitoring of infrastructure and application performance, which usually allows us to detect issues before many customers experience them.
• Automated alerts are set up with the help of Sentry. All alerts are acknowledged within 10 minutes.

Penetration Testing

• We perform annual application-level penetration tests via an independent third party.
• Our aim is to fix any discovered critical issues within 2 business days, and high-severity issues within 30 business days.
• Medium-severity and lower-severity issues are handled as part of ongoing security work.
• Please email security@clearfeed.ai to get a copy of our penetration testing report.

Incident response

• ClearFeed implements a protocol for handling security events and other operational issues which includes escalation procedures, rapid mitigation, and post-mortems.
• You can visit our status page to get updates on any potential issues, and even subscribe to automatic updates.

Compliance

• ClearFeed is SOC2 Type 2 compliant.
• To get a copy of our SOC2 compliance report, please email security@clearfeed.ai.

Security questions or issues?

• If you think you may have found a security vulnerability within ClearFeed, please get in touch with our security team .

‍