Security Overview
Last Updated: September 10, 2021
1. Scope
This Attributy Security Overview ('Security Overview') is incorporated into and made a part of:
- (a) Attributy's Terms of Service; or
- (b) a similar written agreement between Attributy and Customer for Customer's use of the Services (each, the 'Agreement').
'Services' and 'Attributy Services' will each have the meaning given to it in the Data Protection Addendum ('Data Protection Addendum'). Any capitalized term used but not defined in this Security Overview will have the meaning given to it in either the Agreement or the Data Protection Addendum.
2. Purpose
This Security Overview describes Attributy's:
- security program,
- security certifications, and
- technical and organizational security controls
to protect:
- (a) Customer Data from unauthorized use, access, disclosure, or theft; and
- (b) the Services.
In addition to this Security Overview, Attributy's technical security documentation for the Attributy APIs is available at https://Attributy.com/security-overview.
As security threats shift and evolve, Attributy continues to update its security program and strategy to help protect Customer Data and Services. Attributy reserves the right to update this Security Overview from time to time; however, any update will not materially reduce the overall protections outlined in this Security Overview.
The then-current terms of this Security Overview are available at https://attributy.com/security-overview.
This Security Overview does not apply to any Beta Offerings or communications services provided by telecommunications providers.
3. Security Organization and Program
Attributy maintains a risk-based assessment security program. The framework for Attributy's security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data.
Attributy's security program is intended to be appropriate to the nature of the Services and the size and complexity of Attributy's business operations.
Attributy’s Information Security team manages Attributy's security program. They facilitate and support independent audits and assessments performed by third parties.
It includes programs covering:
- Policies and Procedures
- Asset Management
- Access Management
- Cryptography
- Physical Security
- Operations Security
- Communications Security
- Business Continuity Security
- People Security
- Product Security
- Cloud and Network Infrastructure Security
- Security Compliance
- Third-Party Security
- Vulnerability Management
- Security Monitoring and Incident Response
Security is managed at the highest levels of the company, with Attributy's Chief Trust and Security Officer meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives.
Information security policies and standards are reviewed and approved by Management at least annually and are made available to all Attributy employees for their reference.
4. Confidentiality
Attributy has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All Attributy employees and contract personnel are bound by Attributy's internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.
5. People Security
5.1 Employee Background Checks. Attributy performs background checks on all new employees at the time of hire in accordance with applicable local laws. Attributy currently verifies a new employee's education and previous employment and performs reference checks. Where permitted by applicable law, Attributy may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee's role.
5.2 Employee Training
At least once (1) a year, all Attributy employees must complete a security and privacy training which covers Attributy's security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Attributy's dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Attributy has also established an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted.
6. Third-Party Vendor Management
6.1 Vendor Assessment. Attributy may use third-party vendors to provide the Services. Attributy carries out a security risk-based assessment of prospective vendors before working with them to validate that they meet Attributy's security requirements. Attributy periodically reviews each vendor in light of Attributy's security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Attributy ensures that Customer Data is returned and/or deleted at the end of a vendor relationship. For the avoidance of doubt, telecommunication providers are not considered subcontractors or third-party vendors of Attributy.
6.2 Vendor Agreements. Attributy enters into written agreements with all of its vendors, including confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
6.2 Vendor Agreements. Attributy enters into written agreements with all of its vendors, including confidentiality, privacy, and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.
7. Architecture and Data Segregation
7.1 Attributy Services AWS. The cloud communication platform for the Attributy Services is hosted by Amazon Web Services ("AWS"). The AWS data center infrastructure used in providing the Attributy Services is located in the United States. Additional information about the security provided by AWS is available at aws.amazon.com/security and AWS Security Whitepapers. Attributy's production environment within AWS, where Customer Data and the Attributy Services are hosted, is a logically isolated Virtual Private Cloud (VPC).
7.2 Attributy Services IBM. The attribution for the cloud communication platform for the Attributy Services is calculated in a Machine Learning Server by IBM Cloud ("IBM"). The IBM data center infrastructure used in providing the Attributy Services is located in the United States. Additional information about the security provided by IBM is available at IBM Cloud Security. Attributy's production environment within IBM, where Customer Data and the Attributy Services are calculated, is a logically isolated Virtual Private Cloud (VPC).
7.3 Services. All network access between production hosts is restricted for the Services, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. Attributy separates Customer Data using logical identifiers, which tag Customer Data with a unique customer identifier that is assigned to Customer to identify ownership. The Attributy APIs are designed and built to identify and allow access only to and from these tags. These controls prevent other customers from having access to Customer Data.
7.2 Attributy Services IBM. The attribution for the cloud communication platform for the Attributy Services is calculated in a Machine Learning Server by IBM Cloud ("IBM"). The IBM data center infrastructure used in providing the Attributy Services is located in the United States. Additional information about the security provided by IBM is available at IBM Cloud Security. Attributy's production environment within IBM, where Customer Data and the Attributy Services are calculated, is a logically isolated Virtual Private Cloud (VPC).
7.3 Services. All network access between production hosts is restricted for the Services, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. Attributy separates Customer Data using logical identifiers, which tag Customer Data with a unique customer identifier that is assigned to Customer to identify ownership. The Attributy APIs are designed and built to identify and allow access only to and from these tags. These controls prevent other customers from having access to Customer Data.
8. Physical Security
AWS and IBM cloud data centers that host and calculate the Attributy Services are typically strictly controlled at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors must present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide backup power in an electrical failure.
In addition, Attributy headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed-circuit televisions), and overall office security. All employees, contractors, and visitors are required to wear identification badges.
In addition, Attributy headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed-circuit televisions), and overall office security. All employees, contractors, and visitors are required to wear identification badges.
9. Security by Design
Attributy follows security by design principles when it designs the Services. Attributy also applies the Attributy Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design through product deployment. These activities include, but are not limited to:
(a) internal security reviews before new Services are deployed;
(b) penetration tests performed on new Services by independent third parties; and
(c) threat models for new Services to detect any potential security threats and vulnerabilities.
(a) internal security reviews before new Services are deployed;
(b) penetration tests performed on new Services by independent third parties; and
(c) threat models for new Services to detect any potential security threats and vulnerabilities.
10. Access Controls
10.1 Provisioning Access. To minimize the risk of data exposure, Attributy follows the principles of least privilege through a team-based-access-control model when provisioning system access. Attributy personnel is authorized to access Customer Data based on their job function, role, and responsibilities, and such access requires the approval of the employee's manager. Access rights to production environments are reviewed at least semi-annually. An employee's access to Customer Data is promptly removed upon termination of their employment.
In order to access the production environment, an authorized user must have a unique username and password, multifactor authentication, or be connected to Attributy's Virtual Private Network (VPN). Before an engineer is granted access to the production environment, access must be approved by Management, and the engineer is required to complete internal training for such access, including training on the relevant team's systems.
Attributy logs high-risk actions and changes in the production environment. Attributy leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity.
In order to access the production environment, an authorized user must have a unique username and password, multifactor authentication, or be connected to Attributy's Virtual Private Network (VPN). Before an engineer is granted access to the production environment, access must be approved by Management, and the engineer is required to complete internal training for such access, including training on the relevant team's systems.
Attributy logs high-risk actions and changes in the production environment. Attributy leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity.
11. Change Management
Attributy has a formal change management process to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services.
All changes, including evaluating the changes in a test environment, are documented using a formal, auditable record system. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented if a deployed change needs to be rolled back to preserve the security of the Services.
All changes, including evaluating the changes in a test environment, are documented using a formal, auditable record system. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented if a deployed change needs to be rolled back to preserve the security of the Services.
13. Vulnerability Management
Attributy maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business/operational requirements. Attributy uses a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in Attributy's cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. For the Attributy Services, operating system patches are applied by regenerating a base virtual machine image and deploying it to all nodes in the Attributy cluster over a predefined schedule. For high-risk patches, Attributy will deploy directly to existing nodes through internally developed orchestration tools.
14. Penetration Testing
Attributy performs penetration tests or engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. Attributy maintains a Bug Bounty Program, available at https://circleci.com/security/, which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.
16. Security Incident Management
Attributy maintains security incident management policies and procedures in accordance with NIST SP 800-61 through AWS which are illustrated at this AWS guide. Attributy assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. Attributy utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.
17. Discovery, Investigation, and Notification of a Security Incident
Attributy will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, Attributy will notify Customer of a Security Incident in accordance with the Data Protection Addendum. Security Incident notifications will be provided to the Customer via email to the email address designated by the Customer in its account.
18. Resilience and Service Continuity
The Services use a variety of tools and mechanisms to achieve high availability and resiliency. Attributy Services, Attributy's infrastructure spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another. Attributy's infrastructure can detect and route around issues experienced by hosts or even whole data centers in real-time and employ orchestration tooling that can regenerate hosts, building them from the latest backup. Attributy also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Attributy is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
19. Backups and Recovery
Attributy performs regular backups of Customer Data, which is hosted on AWS's data center infrastructure and Circle CI. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).
CircleCI Security and AWS Security Incident Response Guide.
CircleCI Security and AWS Security Incident Response Guide.
