Security Features
Alteia is commited to achieving and maintaining the trust of our customers.
The strong security program in place is based on International Security Standards (ISS) in compliance with the General Data Protection Regulation (GDPR).
Everything we do is governed by a strict set of policies, procedures, and controls, including:
- Data encryption for all data in transit and within the platform.
- Applying security processes and protocols to our software development lifecycle.
- Granular role-based access controls that allow for full customization based on user-to-data, toolsets, and editing privileges.
- Audit tools that provide a detailed record of actions for every user within the platform and applications.
The ISO 27001 Standard Approach
Our robust security program is based on the ISO 27001 standard, which requires:
- The evaluation of threats and vulnerabilities by an independent third party.
- IT risk assessments.
- Issuance of an “Information Security Policy”.
- Establishment of a “Security Event Management Plan”.
Infrastructure Security Features
Audit controls - The Aether platform is audited every year. This audit evaluates the compliance of Aether platform architecture security according to company strategies.
Granular roles & permissions - At the Aether platform level, Alteia enables granular permissions, allowing for the assignment of privileges to specific roles and restricting system administrators from accessing user data. Only a small group of platform administrators can access all data.
Data Encryption - Aether is hosted on AWS. All data, both within the Aether platform and personal customer data, is systematically encrypted on an S3 level through the Key Management Service (KMS). The advantages of utilizing AWS are that it is:
- SOC2 compliant, warranties the security and availability of the data hosted.
- ISO 27001, ISO 27017, ISO 27018, ISO 9001 certified.
- FIPS 140-2 certified, ensuring the confidentiality and integrity of encryption keys.
Application Security Features
S-SDLC - Alteia implements a secure Software Development Life Cycle (S-SDLC).
Penetration Tests
Alteia performs penetration tests every three months in order to identify potential threats and vulnerabilities, thus completing a full risk assessment. Based on learnings, mitigation strategies are established and corrective actions are performed.
A penetration test is an authorized simulated cyber attack that helps evaluate the security of a system to identify weaknesses or vulnerabilities for unauthorized parties to access the system’s features and data.
Alteia performs two different tests:
- Black-box testing - A penetration tester plays the role of a hacker. The objective of this test is to try to access the Aether database without knowing anything about the architectural structure.
- Gray-box testing - The tester has the access and knowledge levels of a user of the system and even advanced knowledge of the network’s internals, including the design and architecture. The objective is to test the security inside the protected perimeter and simulate an attack with long-term access to the network.
Dependency Track: Alteia performs an audit of all third-party components in the code source of Alteia to ensure the continuity of the application. Alteia also ensures third parties respect all legal rights of data usage.
Granular roles & permissions: On an application level, Aether user profiles are based on roles with defined permissions to perform specific tasks. There are two notions of “users”, one related to an account (such as a company or organization) and one related to a project. This allows flexibility in managing your assets.