Elba is achieving its SOC 2 Type 2 certification for three trust service criteria (Security, Availability, and Confidentiality) and will be audited annually.
We are GDPR compliant as a data processor.
elba hosts all data utilizing industry-leading EU-based Amazon Web Services (AWS) facilities, which include 24/7 on-site physical security and camera surveillance. For additional details regarding AWS security, visit https://aws.amazon.com/security/.
Data submitted to elba by authorized users is considered confidential. All data sent to or from Elba infrastructure is encrypted in transit using Transport Layer Security (TLS) v1.2. All data is encrypted at rest using military-grade AES-256 encryption. High-risk data have multiple levels of encryption applied.
elba’s infrastructure is continually monitored for security vulnerabilities and updates are applied automatically.
The following policies are followed and enforced at elba:
Acceptable Use Policy, Asset Management Policy, Backup Policy, Business Continuity Plan, Change Management Policy, Code of Conduct, Cryptography Policy, Data Classification Policy, Data Deletion Policy, Disaster Recovery Plan, Data Protection Policy, Expense and Gift Policy, , Hiring Policy, ISMS Plan, Network Security Standard, Password Policy, Physical Security Policy, Policy Management Policy, Responsible Disclosure Policy, Risk Assessment Program, , Security Incident Response Plan, System Access Control Policy, Vendor Management Policy, Vulnerability Management Policy.
These policies are followed by all elba employees, who review and accept the policies a minimum of once per year.
Access to customer data is limited to functions that have a business requirement to do so.
Employees are required to use a VPN to access AWS resources, and all servers and databases are inside of VPC with minimum access policies. Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Elba has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.
Elba employees are given minimum access to customer data based on their responsibilities. All employee access to systems is logged and audited for security purposes.
Elba runs automated container and application security scans on a daily basis, and package dependency security advisory scans on a weekly basis. In addition, Elba undergoes penetration testing by a third party at least annually. We also maintain separate production and testing environments.
Elba uses a number of third party applications and services to support the delivery of our products to our customers. Elba's Security team has established a vendor management program that sets forth the requirements for Elba to engage with third party service providers.