Data Security
Data security is a matter of trust and your trust is very important for us. We respect your private legal sphere.
Data Security & source code
AIMS is delivered via Hypertext Transfer Protocol (HTTPS) for secure communication between the various client interfaces and AIMS, encrypted by Transport Layer Security (TLS).
If there is damage to any portion of the database or front end due to disastrous failure – such as a disk crash, the recovery method restores a past copy of the database and/or source code that was backed up to archival storage
Physical Security
AIMS is hosted by Digital Ocean. Their datacenters are co-located in some of the most respected datacenter facility providers in the world. They leverage all of the capabilities of these providers including physical security and environmental controls to secure their infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by their datacenter facilities includes but is not limited to:
- 24/7 Physical security guard services
- Physical entry restrictions to the property and the facility
- Physical entry restrictions to their co-located datacenter within the facility
- Full CCTV coverage externally and internally for the facility
- Biometric readers with two-factor authentication
- Facilities are unmarked as to not draw attention from the outside
- Battery and generator backup
- Generator fuel carrier redundancy
- Secure loading zones for delivery of equipment
Infrastructure Security
DigitalOcean’s infrastructure is secured through a defense-in-depth layered approach. Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.
Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a
System are able to login. They consider any system which houses customer data that they collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.
Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure
Access Logging
Systems controlling the management network at DigitalOcean log to their centralized logging environment to allow for performance and security monitoring. Their logging includes system actions as well as the logins and commands issued by their system administrators.
Security Monitoring
DigitalOcean’s Security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within their infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following their incident reporting and response procedures.
Droplet Security & Employee Access
The security and data integrity of customer Droplets is of the utmost importance at DigitalOcean. As a result, their technical support staff do not have access to the backend hypervisors where virtual servers reside nor direct access to the NAS/SAN storage systems where snapshots and backup images reside. Only select engineering teams have direct access to the backend hypervisors based on their role
Snapshot and Backup Security
Snapshots and Backups are stored on an internal non-publicly visible network on NAS/SAN servers. Customers can directly manage the regions where their snapshots and backups exist which allows the customer to control where their data resides within their datacenters for security and compliance purposes.