Security + Compliance

Our platform is built on Amazon Web Services (AWS) which has achieved an extensive set of certifications including SOC2, ISO 27001, and FEDRAMP. Read more here: https://aws.amazon.com/security/

Yes to both. We utilize a minimum of TLS 1.2 encryption for communication to our website, calls to our APIs and internally between platform services.

All customer data is encrypted at rest using AES-256 encryption. Encryption keys are stored in high-security hardware security modules.

Definitely! We leverage a number of sophisticated tools within AWS to automate the backups of all customer data in the platform. We've configured these tools to meet our recovery point objective.

These backups are encrypted and stored securely so only the services required in a disaster recovery scenario can retrieve them.

Our engineers and developers use best practices in secure coding, testing, and deployment. We leverage frameworks that provide protections against common web vulnerabilities such as OWASP Top 10. We mentor our developers and peer review code to foster a culture of security and best practice in everything we do.

We also use automated tools to scan for vulnerable libraries and dependencies in our product.

Our platform is regularly tested end-to-end by external security firms, it's an important part of our process. The findings are assessed and remediated by our engineering and security teams with priority.

Scalability is built into every part of the Zemble application, along with the infrastructure that runs it. Automated tools are used to monitor system usage and to scale compute and storage as required. This enables the platform to handle even the most demanding peak load.

All platform logging and monitoring is centralized and uses industry-leading tools to help identify potential issues before they become widespread. These logs are encrypted and stored securely.

We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:

All employees and contractors are required to sign confidentiality agreements.

All employees are onboarded using a standard process to ensure the appropriate level of training and access is delivered. The offboarding process is also designed to efficiently remove access and accounts when employees leave the company or transition job roles.

All employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password management, and login restrictions.

Administrative access to production data stores is further restricted to a subset of senior engineers located in Australia. This access is necessary for the ongoing maintenance of the Zemble platform. Any and all access to this infrastructure is logged in an immutable event store and periodically reviewed by the security team.

All access to AWS is protected using 2FA for administrative accounts. These accounts are only granted access to services expressly required for them to complete their work. This access is enforced using IAM policies and all access is logged.

AWS Cognito is used for user authentication. This provides a safe and secure way to store user credentials, and also federate with customer directories via SAML2 or OIDC.

For non-federated user accounts, users may configure 2FA for an additional layer of security.
‍
The Zemble platform enforces password complexity requirements for all password users. Brute force attacks are mitigated with account lockout policies.