We take your security very seriously.
All The Enterprise-Grade Certifications You Need
PCI DSS Compliance
AICPA SOC 2
Swiss-US Privacy Shield
EU-US Privacy Shield
Key Security Features
Data is encrypted at rest and in-flight, including data passed between Airkit and third party applications via API calls.
Intraday and daily snapshots of application and customer data
stored in authentication protected, encrypted storage.
Continuously updated security, compliance and privacy certifications not available with custom development alternatives.
Securely authorize other SaaS services with OAuth2. Airkit does not store your username or password for those services.
Role-based access controls for both platform management, application management and
Maintain ownership of your data with full portability. You can choose not to store data on Airkit’s platform.
Airkit contracts with industry-leading third party vendors to do regular penetration testing on the platform.
A Commitment To Reliability.
Is Airkit’s data center secure?
Our online infrastructure is built on Amazon Web Services, which maintains an extensive set of certifications including SOC2, ISO 27001, and FEDRAMP that cover the service’s security, confidentiality, availability, and integrity.
More information is available here: https://aws.amazon.com/security/
Does Airkit encrypt data in transit and at rest?
Yes to both.
We utilize TLS 1.2 encryption on communication to our website and APIs, automatic HTTP to HTTPs redirection, and HTTP Strict Transport Security to prevent downgrade attacks. Our default encryption algorithms utilize Perfect Forward Secrecy (PFS) and Authenticated Encryption with Associated Data (AEAD).
All customer data is encrypted at rest using AES256 encryption. Encryption keys are stored in high-security hardware security modules and periodically rotated.
Does Airkit monitor it’s performance?
We collect logs of system events throughout our infrastructure including cloud-level, application level, and data-store level audit trails. Logs are stored in an immutable storage system that prevents accidental or malicious deletion. Administrators have configured alerts for key system activity that may indicate a compromise or misconfiguration.
Does Airkit back up my data?
Customer data is backed up daily using automated snapshots which are stored in authentication-protected storage using pre-defined retention times. System administrators are notified of failed or delayed backups.
Is the Airkit application itself secure?
Our development team utilizes best practices in code development, testing, and deployment. As part of that process we leverage frameworks that provide protections against common web vulnerabilities (e.g. OWASP Top 10). Libraries and dependency code are scanned for known vulnerabilities and tickets automatically opened for engineers to review and upgrade packages.
Does Airkit conduct regular penetration tests?
Our services are tested periodically by professional penetration testing teams. During the assessment, the team seeks to identify vulnerabilities and weaknesses that could enable attackers to compromise our systems. Identified issues are prioritized and remediated by our technical team.
Does Airkit decommission hardware that stores my information?
The secure decomissioning of hardware used to manage and store customer data is managed by our cloud provider which leverages a combination of mark-and-sweep deletion cycles, cryptographic erasure, and physical device destruction in compliance with NIST SP 800-88 Revision 1.
Does Airkit have a company-wide security policy?
We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:
* System Inventory
* Data Classification
* System lockdown procedures
* Data Access
* Incident Response
* Backups and Restoration
Do Airkit employees sign confidentiality agreements?
All employees and contractors are required to sign confidentiality agreements.
Is security a priority during employee on and offboarding?
All employees are on-boarded using a standard process to ensure they receive training and access appropriate to perform their job role. Our off-boarding process is designed to efficiently remove access and accounts when employees leave the company or transition job roles.
Are Airkit employee hardware devices secure?
Our employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password manager, and login restrictions.
How will Airkit authenticate users to our portal?
Customers can authenticate to our service using 2FA. Inside our application, customers can configure roles that further restrict what actions their users can take on their data.
How does Airkit maintain password security?
User passwords must meet minimum length requirements. Brute force password protections are implemented using account throttling – where repeated attempts to log in to an account result in a progressive delay between login attempts. Passwords are stored in encrypted form using salted hashes.
How is cloud access handled?
Cloud access is protected using 2FA for administrative accounts and encrypted VPN access for access to internal systems. All administrative access to cloud systems is logged.
Who has administrative access to our database?
Administrative access to production databases is restricted to a subset of our engineering team. All-access uses unique accounts and administrator activity is logged to our centralized logging system.
Where is Airkit code stored?
Code is stored in a centralized code repository that requires 2FA for authentication. User groups are configured to provide only the access necessary for employees to do their assigned job. Code updates undergo mandatory code review and approval before being released into production.