We take your security very seriously.

Our comprehensive out-of-the-box security and compliance framework is continuously updated with security, compliance and privacy certifications.

All The Enterprise-Grade Certifications You Need

Security-logos-module_PCI-2-1.svg

PCI DSS Compliance

Security-logos-module_AICPA-1-1.svg

AICPA SOC 2

Security-logos-module_USA-1-1.png

Swiss-US Privacy Shield

Security-logos-module_EUROPE-1-1.png

EU-US Privacy Shield

Security-logos-module_GPDR-1-1.png

GDPR Ready

Security-logos-module_HIPAA-1-1.svg

HIPAA Compliance

Key Security Features

Data Encryption

Data is encrypted at rest and in-flight, including data passed between Airkit and third party applications via API calls.

Data Security

Customer applications and data are hosted in separate secure logical instances per organization with SAML 2.0 single sign-on.

Data Protection

Intraday and daily snapshots of application and customer data
stored in authentication protected, encrypted storage.

Certifications

Continuously updated security, compliance and privacy certifications not available with custom development alternatives.

Integrated Services

Securely authorize other SaaS services with OAuth2. Airkit does not store your username or password for those services.

Organization Controls

Role-based access controls for both platform management, application management and
data management.

Data Governance

Maintain ownership of your data with full portability. You can choose not to store data on Airkit’s platform.

Rigorous Testing

Airkit contracts with industry-leading third party vendors to do regular penetration testing on the platform.

A Commitment To Reliability.

We believe in complete transparency concerning our service availability and uptime. View our track record on our status page.

Security &
Infrastructure

Is Airkit’s data center secure?

Our online infrastructure is built on Amazon Web Services, which maintains an extensive set of certifications including SOC2, ISO 27001, and FEDRAMP that cover the service’s security, confidentiality, availability, and integrity.

More information is available here: https://aws.amazon.com/security/

Does Airkit encrypt data in transit and at rest?

Yes to both.

We utilize TLS 1.2 encryption on communication to our website and APIs, automatic HTTP to HTTPs redirection, and HTTP Strict Transport Security to prevent downgrade attacks. Our default encryption algorithms utilize Perfect Forward Secrecy (PFS) and Authenticated Encryption with Associated Data (AEAD).

All customer data is encrypted at rest using AES256 encryption. Encryption keys are stored in high-security hardware security modules and periodically rotated.

Does Airkit monitor it’s performance?

We collect logs of system events throughout our infrastructure including cloud-level, application level, and data-store level audit trails. Logs are stored in an immutable storage system that prevents accidental or malicious deletion. Administrators have configured alerts for key system activity that may indicate a compromise or misconfiguration.

Does Airkit back up my data?

Customer data is backed up daily using automated snapshots which are stored in authentication-protected storage using pre-defined retention times. System administrators are notified of failed or delayed backups.

Is the Airkit application itself secure?

Our development team utilizes best practices in code development, testing, and deployment. As part of that process we leverage frameworks that provide protections against common web vulnerabilities (e.g. OWASP Top 10). Libraries and dependency code are scanned for known vulnerabilities and tickets automatically opened for engineers to review and upgrade packages.

Does Airkit conduct regular penetration tests?

Our services are tested periodically by professional penetration testing teams. During the assessment, the team seeks to identify vulnerabilities and weaknesses that could enable attackers to compromise our systems. Identified issues are prioritized and remediated by our technical team.

Does Airkit decommission hardware that stores my information?

The secure decomissioning of hardware used to manage and store customer data is managed by our cloud provider which leverages a combination of mark-and-sweep deletion cycles, cryptographic erasure, and physical device destruction in compliance with NIST SP 800-88 Revision 1.

Policies &
Procedures

Does Airkit have a company-wide security policy?

We maintain a company-wide security policy that covers the security requirements for systems throughout our infrastructure including:
* System Inventory
* Data Classification
* System lockdown procedures
* Encryption
* Data Access
* Incident Response
* Backups and Restoration

Do Airkit employees sign confidentiality agreements?

All employees and contractors are required to sign confidentiality agreements.

Is security a priority during employee on and offboarding?

All employees are on-boarded using a standard process to ensure they receive training and access appropriate to perform their job role. Our off-boarding process is designed to efficiently remove access and accounts when employees leave the company or transition job roles.

Are Airkit employee hardware devices secure?

Our employee computers and company mobile devices are required to meet a set of security requirements including full disk encryption, vulnerability updates, company-approved password manager, and login restrictions.

Access Control

How will Airkit authenticate users to our portal?

Customers can authenticate to our service using 2FA. Inside our application, customers can configure roles that further restrict what actions their users can take on their data.

How does Airkit maintain password security?

User passwords must meet minimum length requirements. Brute force password protections are implemented using account throttling – where repeated attempts to log in to an account result in a progressive delay between login attempts. Passwords are stored in encrypted form using salted hashes.

How is cloud access handled?

Cloud access is protected using 2FA for administrative accounts and encrypted VPN access for access to internal systems. All administrative access to cloud systems is logged.

Who has administrative access to our database?

Administrative access to production databases is restricted to a subset of our engineering team. All-access uses unique accounts and administrator activity is logged to our centralized logging system.

Where is Airkit code stored?

Code is stored in a centralized code repository that requires 2FA for authentication. User groups are configured to provide only the access necessary for employees to do their assigned job. Code updates undergo mandatory code review and approval before being released into production.

We’d love to show you.

Ready to see for yourself? Let’s get started.