Technology Trust Summary
Purpose of this document
This document will outline the high level security posture for Chameleon. It will document our application/data concerns and the controls we have in place for our business.
This document outlines the security program and policies required to operate Chameleon as an application and business. Where possible we rely on the security of our infrastructure providers, however their security is out of scope for this document.
Application and Data
We develop our application using an Agile Methodology, with an integrated CI/CD process, using a container based deployment. Our application is hosted by Heroku on Amazon AWS, Both being SOC2 and ISO27001 certified. Heroku ensures that our database and underlying disk storage is encrypted at rest, and all data is encrypted using TLS 1.2 or greater between the client and the server. We use automated dependency management and CI based patch verification and can deploy important security fixes in under 30mins.
Our application and data reside in the US, within the AWS US-east-1 region. It is not moved from here, nor is moved between application environments. Where requests are received for access from relevant local authorities, they are handled on a case by case basis.
We are a multi-tenancy SaaS application, with the data interleaved across tenants. We use an application level access control via a tenancy key scoped to the request. In combination with a RBAC based authorisation platform, only users with appropriate users will have access to your data. All editable actions are logged in an event sourced model.
All data is stored either as object storage or relational data. All relational data is backed by both nightly capture the world backups with 30 day retention and 4 days of point-in-time recovery. We only offer system level data recovery in the case of corruption. We perform regular backup and recovery tests. Unless otherwise negotiated, all customer data is removed no sooner than 30 days after the cessation of contract terms.
Under some conditions we offer an initial response SLA for support. This is variable based on organisational needs. Our deployment process is a zero downtime one, with deployments occurring on an as needed basis for system and application patching. Feature deployment is rolled out on a more limited basis as needed.
All Chameleon Creator employees are subject to confidentiality agreements thats include customer data. We communicate regular about threats faced by our organisation including BEC, physical security, phishing and more.
We perform regular penetration testing to ensure we continue to have 3rd party confidence in our development processes. Our latest reports can be made available on request.
We strategically plan for the continuation of business operations during disruptions. We maintain appropriate and up to date records of response. Associated, our disaster recovery policy is maintained and tested regularly. Policy and test results can be made available on request.
We maintain an Incident Response plan that details how we will detect and response to potential cyber based incidents that impact on availability, confidentiality or integrity of the Chameleon Application. We also maintain a security incident record. Our incident response plan can be made available on request.