System Security

All servers that run SciSpace software in production is recent, continuously patched Linux systems. Additional hosted services that we utilize, such as Amazon Cloud Storage, are comprehensively hardened infrastructure-as-a-service (IaaS) platforms.

Our web servers use the strongest grade of HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Security Event Response Plan

• We have a well-defined process for security events that might occur and have educated all our staff on our policies.
• Whenever a security event is detected, it is immediately shared with our emergency engineering team, teams are notified and assembled to immediately address the event.
• After a security event is addressed, we do a post-mortem analysis of the problem.
• Security event analysis is reviewed by chief engineer in person, and action items are identified.
• Learnings from the event are formalized and distributed across the company to prevent any occurrence of similar events in the future.

Data

• All our customer data is stored in secure SSAE 16 / SOC1 certified data centers in the USA.
• We have Access restrictions on our servers to better protect your information
• Firewalls have been implemented to prevent unauthorized access
• We use Amazon Web Services (RDS & S3) for managing your data
• Regular snapshots of database are taken and moved securely to separate datacenter for backup in case of regional Amazon failure
• Customer data is stored in multi-tenant data-stores, we do not have individual data-stores for each customer. However, we have struck privacy controls in our application to ensure data security and privacy. This also prevents unauthorized access of any customer’s data.
• We have unit, integration, and regression test cases in place to ensure that privacy controls work as expected.
• All tests are run every time changes are made on the platform.

Application monitoring

• All access to SciSpace applications is logged and audited.
• Bastion hosts are used to login to devices.

Confidentiality

We place strict controls over our employees’ access to your data and are committed to ensure that any customer data is not seen by anyone who should not have access to it. All of our employees and contract personnel are bound to our policies regarding customer data privacy and security and we treat these issues as matters of the highest importance within our company.

Personnel Practices

SciSpace conducts background checks on all employees before employment, and employees receive security training during on boarding as well as on an ongoing basis. All SciSpace employees are required to read and sign our strict data security and privacy policy covering the security, availability, and confidentiality of our services.

Infrastructure

• All of our services run in the cloud.
• SciSpace does not run our own routers, load balancers, DNS servers, or physical servers.
• The vast majority of our services and data are hosted on Amazon Web Services (AWS) facilities in the USA.
• All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that block unauthorized requests.
• We have multiple VPC’s for different environments to ensure data integrity.
• SciSpace takes snapshots of your document at frequent intervals as our automatic backup strategy. In addition to this, our databases are backed up on a daily basis to ensure no loss of data.

Build Process Automation

• All changes are rolled out to the platform using automation.
• With typical code deploys happening multiple times a day, we can get any security fix on the platform quickly.

Data Transfer

• All data sent to or from SciSpace is encrypted in transit using 128-bit encryption.
• Our API and application endpoints are TLS/SSL only.
• We use strong cipher suites and have features such as Perfect Forward Secrecy fully enabled etc.

Authentication

• SciSpace is served 100% over https.
• There are no corporate resources or additional privileges from being on SciSpace’s network.

PCI Obligations

SciSpace is not subject to PCI obligations. All payment instrument processing is outsourced to 2Checkout

Physical Security

SciSpace production data is processed and stored within AWS Data Centers, which uses state-of-the-art multi-layer access, alerting, and auditing measures, including

• Perimeter fencing
• Vehicle access barriers
• Custom-designed electronic access cards
• Biometric checks
• Laser beam intrusion detection
• Continuous external and internal security camera surveillance
• 24x7 trained security guards