Security Policy
At Specmatic, we prioritize the security and privacy of our customers’ data. Our security policy outlines the measures we take to protect the data and ensure the reliability of our service. Specmatic is hosted on AWS, utilizing the robust security features provided by AWS to safeguard our infrastructure.
1. Risk Profile
- Non-Critical Path: Specmatic is not on the critical path for your production systems, ensuring that any issues with our service will not directly impact your production environment.
- No Data Consumption: Specmatic does not consume any data from your production systems, further minimizing any risk associated with data breaches or misuse.
- Low Risk: Given that Specmatic is primarily a tool used during development and testing, it operates independently of your production data and systems, the overall risk profile of using our service is very low.
2. Data Protection and Privacy
- Data Encryption: All data in transit is encrypted using TLS (Transport Layer Security). Data at rest is encrypted using AES-256.
- Data Isolation: Customer data is logically segregated to ensure data privacy and protection.
3. Infrastructure Security
- Hosting: Specmatic is hosted on Amazon Web Services (AWS), specifically in the US East (N. Virginia) Region. Read more on the security controls within the AWS data center.
- Access Control: We employ strict access control policies. Access to our infrastructure is restricted to authorized personnel only, using multi-factor authentication (MFA).
- Documentation and Change Control: We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process over what is released to customers.
4. Application Security
- Secure Development Practices: Our development process follows industry best practices, including code reviews, automated testing, and static analysis to identify and mitigate vulnerabilities.
- Authentication and Authorization: We implement robust authentication and authorization mechanisms to ensure that only authorized users can access our services.
- Input Validation: We enforce strict input validation to prevent common vulnerabilities such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
Vulnerability Management: We regularly scan our applications for vulnerabilities and apply security patches promptly.
5. Security by Design
- Proactive Security: We integrate security considerations into every phase of our development lifecycle, from design to deployment, ensuring that security is a foundational aspect of our product.
- Threat Modeling: We perform regular threat modeling exercises to anticipate and mitigate potential security risks before they become issues.
6. Defensive Programming
- Code Practices: Our developers follow defensive programming practices, including validating inputs, handling errors gracefully, and avoiding the use of insecure functions.
- Security Testing: We conduct regular security testing, including static and dynamic analysis, to identify and address potential vulnerabilities in our code.
7. Network Security
- Firewalls and Monitoring: Our network is protected by firewalls, and we continuously monitor for suspicious activity.
- Intrusion Detection: We use intrusion detection systems (IDS) to detect and respond to potential security threats.
8. Incident Response
- Incident Management: We have a comprehensive incident response plan. In the event of a security incident, we will notify affected customers promptly and take appropriate measures to mitigate the impact.
- Continuous Monitoring: Our systems are continuously monitored for signs of security incidents.
- Intrusion Detection and Thread Protection: We run a number of real-time and retrospective threat detection, pen testing and analysis tools, connected to our alerting and notifications platform, to proactively monitor suspicious or unusual behavior.
9. Compliance
- Regulatory Compliance: We comply with relevant industry standards and regulations to ensure the highest level of security for our customers.
- Third-Party Audits: We regularly undergo third-party security audits and assessments online to validate our security posture.
- PCI Obligations: Specmatic is not subject to PCI obligations as we do not process any online payments.
10. SLAs
We provide an uptime guarantee of 99.9%, protected by our terms and conditions.
Recovery objectives
- Recovery time objective (RTO): 8 hours
- Recovery point objective (RPO): 1 hour
11. Employee Training
- Security Awareness: All employees undergo regular security awareness training to stay informed about the latest security threats and best practices.
- Access Management: Employee access to customer data is granted on a need-to-know basis esp. for support related duties and is regularly reviewed.
12. Customer Responsibilities
- Strong Passwords: We recommend that customers use strong, unique passwords and enable multi-factor authentication (MFA) for their accounts.
13. Contact Information
If you have any questions about our security policy or need to report a security incident, please contact us at [email protected].
14. Updates to this Policy
We may update this security policy from time to time to reflect changes in our practices or regulatory requirements. We encourage customers to review this policy periodically