Security and privacy at Elevent

Security is at the heart of what we do—helping our customers improve their security and compliance posture starts with our own.

Governance

Elevent’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.

Our policies are based on the following foundational principles:

  1. Access to systems is limited to only those who have a business need to know and is provisioned based on the principle of least privilege.
  2. Security controls include independent and layered controls according to the principle of defense-in-depth.
  3. Security controls should be applied consistently across all areas of the company.
  4. The implementation of controls should be continually evaluated and improved to ensure the highest efficacy and protection.

Security and Compliance at Elevent

Elevent is undergoing a SOC 2 Type II attestation. Our SOC 2 Type I report certificate will be available in our Trust Center.

Elevent maintains compliance with:

  • SOC 2 Type II (in progress)

Data protection

Data at rest

All data at rest with customer data, in addition to S3 buckets, are encrypted at rest. Sensitive workloads are restricted to those who need to know and are controlled. This ensures the greatest possible protection for the information that our customers entrust to us. Logs are also stored in the same environment and protected with the same level of encryption, ensuring the most possible safeguards.

Data in transit

Elevent uses TLS/SSL for all our data in transit. Data in transit is also subject to endpoint encryption and secure connections. Data transfers from one place to another are encrypted, and user information is transmitted using the highest standards of security protocols. This ensures that data is secure while moving between environments. Elevent also uses Okta as an additional layer of authentication.

Secret management

Encryption keys are managed via AWS Key Management Service (KMS) allowing us to manage hardware security modules, including key rotation, within a secure boundary. Our keys are stored in HSMs (Hardware Security Modules), ensuring that only authorized personnel can access the keys. Key rotation is enforced, and access controls over these encryption keys maintain their safety. Application secrets are documented and stored securely in AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.

Product security

Penetration testing

Elevent engages with one of the best penetration testing companies from the industry thrice annually. Our partners perform full-scope tests against Elevent’s security measures.

At each test, Elevent’s product and internal infrastructure are subjected to rigorous testing. All findings are remediated and retested, ensuring that all issues identified are resolved, and security measures are further strengthened.

Vulnerability scanning

Elevent continuously and proactively scans for potential risks.

Static analysis (SAST) testing of code before pull requests and on an ongoing basis.

Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.

Dynamic application security testing (DAST) for running applications.

Network vulnerability scanning on a periodic basis.

Enterprise security

Endpoint protection

A rigorous defense is centrally managed and integrated with mobile device management (MDM) and endpoint management. Elevent endpoints are protected by anti-malware, MDM, and MAM systems. Elevent IT manages a registry of configurations and updates, such as disk encryption, screen lock configurations, and software updates.

Security education

We provide continuous security training to all employees upon onboarding and annually thereafter. Additionally, we hold weekly security stand-downs, security newsletters, and quarterly security all-hands meetings to promote and enhance a robust security culture. All new employees are also trained in mandatory new onboarding sessions focused on secure coding principles and protocols.

Elevent’s security team runs regular threat modeling, with employees from different parts of the organization to enhance security awareness and collaboration.

Identity and access management

Elevent uses AWS Cognito for secure identity and access management. We enforce the use of multi-factor authentication for all critical systems, along with password policies. Elevent employees are granted access to applications based on their role and responsibilities, and privileged access is restricted further with two-factor authentication.

Vendor security

Elevent uses a risk-based approach to vendor security. Vendors are thoroughly vetted before onboarding and are subject to ongoing monitoring of vendor security practices.

  • Access to customer and corporate data
  • Integration with products and services
  • Potential damage to the Elevent brand

Once the inherent risk rating has been determined, the security team reviews the vendor’s security documentation to ensure that the vendor can meet the requirements. This includes evaluating individual risk ratings and general risks to the Elevent environment.

Data privacy

At Elevent, data privacy is a first-class priority—we strive to be trustworthy stewards of all sensitive data.

Privacy Policy and Terms and Condition

View Elevent’s privacy policy and our terms and conditions.

Request a demo

© 2024 Elevent, Inc. All rights reserved.

 

Ready to make your play?

Talk with our team