We take the security of our customers data very seriously. Here at AllAnswered, we utilize comprehensive security technologies to maximize the safety and security of our customers information. This document shares the practices and policies we put in place regarding security for our paid subscribers.
We are using Amazon Web Services (AWS) to host our servers, databases and storage. AWS is certified as a SOC 1 ISAE 3402, SOC 2, SOC 3, ISO 27001 and ISO 9001 compliant facility. For more information about AWS data center compliance, please refer to: http://aws.amazon.com/compliance/.
AllAnswered implemented network firewalls with Amazon Virtual Private Cloud (VPC) so that only permitted traffic is allowed to go through.
Data in transit and at rest
Data in transit over network are encrypted using secure socket layer (SSL) technology with advanced AES-256 encryption to prevent eavesdropping or man-in-the-middle attack (MITM). Storage at rest in production network is also encrypted with AES-256. All the keys are stored and managed on the server side. User credentials are saved using PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST.
Customer data is stored in multi-tenant datastores segregated logically by the AllAnswered application. User data are versioned and backed up regularly between physical locations to prevent data loss. All infrastructure changes are logged using Cloudtrail and archived for governance, compliance, operational auditing.
Authentication and authorization
To further reduce the risk of unauthorized access to customers data, AllAnswered requires multi-factor authentication for administrative access to systems. Direct access to production servers is over Secure Shell (SSH) with private keystore.
Access to infrastructure resources and applications is controlled based on roles and is limited to people who have the right permissions. The operations team has access to the necessary infrastructure in order to run our service. AllAnswered does not hire third party contractors to maintain its infrastructure.
Cookies and sessions
Once an individual user signs in to AllAnswered account, a cookie will be stored that contains a specific security token used to identify the user. This cookie is used to re-authenticate the user if the user session expires. Signing out of the user's account will clear this cookie.
Most modern browsers automatically accept cookies, but you can change your browser settings to stop automatically accepting cookies or to prompt you before accepting cookies. Please note, however, that if you don’t accept cookies, you may not be able to access all features of our service.
AllAnswered supports uptime of 99.9% by adding redundancy throughout our infrastructure stack, including multiple instances in different availability zones to maintain a secure and reliable service for our customers.
Billing and PCI DSS compliance
Anyone involved with the processing, transmission, or storage of credit card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). AllAnswered does not store, process, or transmit card data directly. Instead, the credit card information is sent directly to Stripe, our payment partner, which is a PCI Level 1 Service Provider.
Export you data
You have complete control over your own data. If you want to backup them or take them somewhere else, you can export all posts of each community in your team. The exported files are in comma separated CSV format. For more comprehensive export options, please contact firstname.lastname@example.org directly.
Report a security vulnerability
If you discover a security issue in AllAnswered service, we ask that you report it to us confidentially in order to protect the security of our services. Please email the details to our security team at email@example.com. Our security team will respond to confirm receipt of your message, review and plan the mitigation of the issue appropriately.