Our infrastructure and your data are protected by a system of layers and failsafes, in policy and technical controls.
We secure data in customer-specific containers, and where required, in dedicated customer environments, to keep customer data separate and isolated.
We protect application data with strong cryptographic techniques. Information is secured with keys specific to the customer, and where possible, with customer end-to-end encryption. We use best-in-class AES-256-GCM encryption, PBKDF2 key derivation, and high-strength RSA public-key encryption.
We additionally secure Epi data with keys that we manage to protect data at rest on our servers with server-side encryption, rather than solely relying on cloud provider encryption.
We use infrastructure providers that provide strong security-of-the-cloud operations, like Amazon Web Services. We follow best cloud practices and industry-standard principles in our deployment to provide strong security-in-the-cloud operations.
All data is further protected by another layer of industry-standard security in transit with HTTPS encryption.
We employ secure code principles in all our development. We design, write and review code for its security and privacy implications. We use modern, open source libraries and industry-proven solutions. We evaluate and monitor supply chain dependencies for their actions. We deploy in secure environments and utilise tools like Content Security Policy (CSP) to protect clients and client data.
We believe in the principle of minimal access. Our staff only have access to what they need, for when they need it, and no more. Our identity and access management (IAM) infrastructure policies enforce this principle. Senior engineers, the CTO and the CEO are even limited in their capabilities in our cloud platform.
We evaluate prospective providers and select those with a reputation for privacy and security of customer data. We use strong authentication with all providers, including multi-factor authentication. We do not use third-party analytics or external telemetry providers to limit third-party tracking originating from your queries and data.