Posture Security Statement
Effective date: July 26, 2018
Posture helps organizations and their partners track and manage their Compliance. Posture is used across multiple organizations within the world. Our platform allows organizations to focus on employee benefits and take away stress and paperwork. We seamlessly integrate with your Payroll provider so that you don't have to manually enter any information.
Our platform is designed to protect customers from threats by applying security controls at every layer. We encourage customers to use 2FA to help secure their access, notify them with email whenever we detect new logins and provide them with audit logs of all their activity on our platform.
Trust is a core principle of Posture. It’s this commitment to customer privacy and inspiring trust that directs the decisions we make on a daily basis. Trust is the responsibility of each and every employee and one we take seriously.
Posture’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon does continuous risk treatment and management and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
We use the PCI compliant payment processor Stripe for encrypting and processing credit card payments. This, Posture’s infrastructure provider, is PCI Level 1 compliant.
Posture utilizes its own internal certified penetration and vulnerability assessment/testing teams. Findings from each assessment are reviewed with the assessors, risk ranked, and assigned to the responsible team. Vulnerabilities are treated with the highest priority at Posture and are dealt with in a timely manner.
Posture utilizes Amazon's ISO 27001 and FISMA certified data centers. Amazon has many years of experience designing, building and operating data centers on a large scale. The AWS platform and infrastructure have applied this experience and expertise. AWS data centers are housed in nondescript facilities and critical facilities have extensive perimeter control berms and other man-made border protection. Physical access is strictly controlled by professional security personnel using video surveillance, state-of-the-art intrusion detection systems and other electronic means, both at the perimeter and at the building entrance points. For access to data center floors, authorized staff must pass two-factor authentication no less than three times. All visitors and contractors must present their identification and are signed by authorized staff and continuously accompanied by them.
Amazon only provides employees who have a legitimate business need for such privileges with access to data centers and information. If an employee no longer needs these privileges in business, his or her access is immediately withdrawn, even if he or she continues to be an employee of Amazon or Amazon Web Services. All physical and electronic access by Amazon employees to data centers is routinely logged and audited.
For additional information see: Amazon AWS Security
To reduce the risk, automatic fire detection and suppression equipment are utilized. All data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator rooms, the fire detection system use smoke detection sensors. These areas are protected by wet pipe systems, double-locked pre-action systems or gaseous sprinklers.
The electrical power systems of the data center are designed to be completely redundant and maintainable 24 hours a day and seven days a week without impact on operations. Uninterruptible power supply units (UPS) provide backup power for critical and essential loads in the facility in the event of an electrical failure. Data centers use generators to provide the whole facility with backup power.
In order to maintain a constant operating temperature for servers and other hardware, climate control procedures are employed , which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain optimum atmospheric conditions. Monitoring systems and data center staff ensure the appropriate temperature and humidity levels.
Staff at the data center monitor electrical, mechanical and life support systems and equipment so that problems are identified immediately. Preventive maintenance is carried out to maintain continued operability of equipment.
For additional information see: Amazon AWS Security
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only ports and protocols explicitly permitted on the basis of business requirements. Each system is assigned to a security firewall group based on the function of the system. Security groups restrict access to only the ports and protocols needed to mitigate the risk for the specific function of a system.
Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed.
Our infrastructure provider takes advantage of DDoS mitigation techniques including TCP Syn cookies and connection rate limiting along with maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Posture utilizes Amazon AWS which uses application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
System configuration and consistency are maintained via standard, up-to-date images, configuration management software and by updating and replacing deployments. Systems are deployed using up-to-date images updated before deployment with changes in configuration and security updates. Once the existing systems have been deployed, they are decommissioned and replaced by current systems.
Our vulnerability management process is designed to address risks without the interaction or impact of customers. Vulnerabilities are notified by internal and external evaluations and system patch monitoring. Each vulnerability is reviewed to determine if it is applicable to Posture environment, ranked based on risk, and assigned to the appropriate team for resolution.
We undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Our security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. Posture continuously reviews the security of the Posture platform and applications and apply best practices.
Issues found in Posture applications are risk ranked, prioritized, assigned to the responsible team for remediation, and Posture security team reviews each remediation plan to ensure proper resolution.
Posture uses Amazon S3 to deploy Posture web platform. The Amazon S3 platform automatically backs up as part of the deployment process on secure, access controlled, and redundant storage. We use these backups to deploy out application across our platform and to automatically bring your application back online in the event of an outage.
Posture uses Amazon DynamoDB. Continuous Protection keeps data safe on DynamoDB. DynamoDB uses Point-in-time recovery (PITR), which provides continuous backups of all data. In the unlikely event of unrecoverable hardware failure, DynamoDB provides and simple and efficient service to restore data. We also back up our database to meet data retention requirements.
The Amazon AWS platform automatically restores applications and databases in the case of an outage. Amazon S3 is designed to dynamically deploy applications within the Amazon AWS Cloud, monitor for failures, and recover failed platform components including customer applications.
Amazon AWS is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single failure points, replaces failed components and uses multiple resiliency data centres. The platform is deployed in multiple data centers using current system images in the event of a failure and data is restored from backups. Amazon AWS examines platform problems in order to understand the root cause, impact customers and improve the platform and processes.
Decommissioning hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure. Amazon DynamoDB has services set out for managing data retention and destruction/deletion.
Posture staff, as part of normal operations, do not access or interact with customer data or applications. Posture may be asked to interact with customer data or applications for support purposes or where required by law at the customer's request. Customer data is controlled by access and all access by Posture staff is accompanied by customer approval or government mandate, reason for access, staff actions and start and end time for support.
As a condition of employment, all posture employees undergo pre-employment checks and agree to company policies, including security policies and policies for acceptable use.
Our security team is headed by the Chief Information Security Officer (CISO) and includes personnel responsible for the security of applications and information. The security team works closely with the entire Posture organization and customers to address risks and maintain the commitment to trust in Posture.