All the enterprise-grade certifications you need
PCI DSS Compliance
AICPA SOC 2
Key security features
A commitment to security
Airkit works with security researchers and encourages responsible disclosure through an ISO 29147 bug bounty program, coordinated by HackerOne.
Is Airkit’s data center secure?
Our online infrastructure is built on Amazon Web Services, and Airkit maintains a SOC2, PCI, HIPAA and other controls that cover the service’s security, confidentiality, availability, and integrity.
More information is available here: https://aws.amazon.com/security/
Does Airkit monitor it’s performance?
We collect logs of system events throughout our infrastructure including cloud-level, application level, and data-store level audit trails. Logs are stored in an immutable storage system that prevents accidental or malicious deletion. Administrators have configured alerts for key system activity that may indicate a compromise or misconfiguration.
Is the Airkit application itself secure?
Our development team utilizes best practices in code development, testing, and deployment. As part of that process we leverage frameworks that provide protections against common web vulnerabilities (e.g. OWASP Top 10). Libraries and dependency code are scanned for known vulnerabilities and tickets automatically opened for engineers to review and upgrade packages.
Does Airkit decommission hardware that stores my information?
The secure decomissioning of hardware used to manage and store customer data is managed by our cloud provider which leverages a combination of mark-and-sweep deletion cycles, cryptographic erasure, and physical device destruction in compliance with NIST SP 800-88 Revision 1.
Do Airkit employees sign confidentiality agreements?
All employees and contractors are required to sign confidentiality agreements.
Are Airkit employee hardware devices secure?
Our employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password manager, and login restrictions.
How does Airkit maintain password security?
User passwords must meet minimum length requirements. Brute force password protections are implemented using account throttling – where repeated attempts to log in to an account result in a progressive delay between login attempts. Passwords are stored in encrypted form using salted hashes.
Who has administrative access to our database?
Administrative access to production databases is restricted to a subset of our engineering team. All-access uses unique accounts and administrator activity is logged to our centralized logging system.
Does Airkit encrypt data in transit and at rest?
Yes to both.
We utilize TLS 1.2 encryption on communication to our website and APIs, automatic HTTP to HTTPs redirection, and HTTP Strict Transport Security to prevent downgrade attacks. Our default encryption algorithms utilize Perfect Forward Secrecy (PFS) and Authenticated Encryption with Associated Data (AEAD).
All customer data is encrypted at rest using AES256 encryption. Encryption keys are stored in high-security hardware security modules and periodically rotated.
Does Airkit back up my data?
Customer data is backed up daily using automated snapshots which are stored in authentication-protected storage using pre-defined retention times. System administrators are notified of failed or delayed backups.
Does Airkit conduct regular penetration tests?
Our services are tested periodically by professional penetration testing teams. During the assessment, the team seeks to identify vulnerabilities and weaknesses that could enable attackers to compromise our systems. Identified issues are prioritized and remediated by our technical team.
Does Airkit have a company-wide security policy?
We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:
* System Inventory
* Data Classification
* System lockdown procedures
* Data Access
* Incident Response
* Backups and Restoration
Is security a priority during employee on and offboarding?
All employees are on-boarded using a standard process to ensure they receive training and access appropriate to perform their job role. Our off-boarding process is designed to efficiently remove access and accounts when employees leave the company or transition job roles.
How will Airkit authenticate users to our portal?
Customers can authenticate to our service using 2FA. Inside our application, customers can configure roles that further restrict what actions their users can take on their data.
How is cloud access handled?
Cloud access is protected using 2FA for administrative accounts and encrypted VPN access for access to internal systems. All administrative access to cloud systems is logged.
Where is Airkit code stored?
Code is stored in a centralized code repository that requires 2FA for authentication. User groups are configured to provide only the access necessary for employees to do their assigned job. Code updates undergo mandatory code review and approval before being released into production.