Security

The Otterly.AI software and all its services are hosted and managed within the AWS (Amazon Web Services) secure data centers.

These centers all come with certain certifications:
- SOC 1 and SOC 2/SSAE16/ISAE 3402
- ISO 27001

We use Amazon's hosting in EU-central-1 (Frankfurt), US (North Virginia). We are using the available AWS services to protect data privacy and control access to our entire network. If you are interested in more specific details about these certifications, please have a look at the AWS compliance center.

Latest versions and security patches‍
We are working continuously to have the latest version of software and security patches installed.

Vulnerability scans
Our system is regularly (at least annually) audited and tested to identify any vulnerabilities. We are also using security tools to check for vulnerabilities of our code and watch-guard for potential risks. Each upcoming risk is reported, classified, and promptly fixed and patched.

We are working hard to prevent SQL injections, XSS vulnerabilities, and other common issues.

Redundant services and failover
Our services are built for failover. In case a service fails there are always redundant services to take over the job. This allows us to provide a consistent and reliable service to our customers.

All databases are replicated synchronously to quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database and securely move them to a separate data center. Then we are able to restore them elsewhere as needed, even in the event of a regional data center failure.

Firewalls
Our system, servers, and networks are secured by various firewalls which are regularly checked and updated. We only provide one access path with open ports 80 and 443 for HTTP(S) traffic. All other systems, servers, and networks are protected and limited to our internal network. Only authorized personnel with a profound background check have access to our server infrastructure. The access to our data centers is secured through VPN and 2-factor authentication.

Code Reviewing
Our development team uses a modern software development approach to ensure the development of secure, reliable, fast and flexible software. We are using a revision control system (git). Any changes to our source code base go through a suite of automated tests (if available). When code changes pass the automated testing system and manual reviews, the changes are deployed to a staging server. In this staging server, our employees are able to test changes before an eventual push to production servers and our customer base.

We also add a specific security review for particularly sensitive changes and features. Our engineers can pick critical updates and push them immediately to production servers.

In addition to a list where all access control changes are published, we have a suite of automated unit tests that checks whether access control rules are written correctly and enforced as expected. We also work with third-party security professionals to protect your data.

Data storages
All data storages are not directly accessible to the outside/internet. Access to data stores with customer data is limited to systems that require this access. All data is encrypted while in transport by using enhanced encryption mechanisms like SSL etc.

All our connections are encrypted via Transport Layer Security (TLS) with version v1.2. We have implemented encryption of all data in rest. All production environments are separated from testing environments.

Data segregation and data access
‍All accounts and data of each customer are separated by unique IDs. These can only be accessed by the customers’ team members. Our customer success team will only access a customer's account after a clear request by the customer.

‍Backups & disaster recovery
‍All data is backed up daily, secured by encryption, and stored for 30 days.

Deleted data is not removed from backups to allow for the possibility to recover in case of deletion. All previous backup data is removed after 90 days. We are reviewing our backups at least annually and simulate a full backup recovery.

‍Logs
‍Our system is storing logs to reproduce any faults or track security breaches. No personal data is stored within our logs.

We are compliant with the EU General Data Protection Regulation (GDPR) which should help to protect personal data and give individual users more rights and control of their personal data. We are a processor in terms of GDPR.

We are only storing some personal data (Personally Identifiable Information (PII)) in the form of name and email of your users.

We are storing data in the European Union (EU) and in the United States (US). If we have a sub-processor that is not processing in the EU, we ensure through an EU-SCC and a DPA that the sub-processor has an adequate security standard.  For more information and our Data Privacy Agreement, please read our GDPR page.

Privacy policy
‍We demonstrate our company’s commitment to privacy. Please read our privacy statement.

Passwords & sessions
We can not retrieve any password as we currently don't provide passwords. We encourage our customers to use strong passwords to increase their security and protection of their personal data. Every access to our application is secured by a session that is invalidated in case of unauthorized access or after a certain time of inactivity.

Login and Google oAuth
Besides the standardized email and sign-in link via email to our system, Otterly.AI offers our customers and users the possibility to access our system via Google oAuth.

Permissions and roles
Otterly.AI offers different roles with different permissions within our system. Admins have all access and managing permissions, while members can only view most of the items.

Secure transport via HTTPS
Our system enforces traffic via HTTPS (port 443). Requests to web resources and access to our REST API can only be obtained via SSL.

Encryption at transport and at rest.
Our feedback platform uses industry-standard encryption algorithms for encrypting your data in transport, as well as at rest.

‍Security training
Security is only effective if it is practiced regularly. That’s why our team and employees have to conduct security training outlined in our policies regularly after joining.

Confidentiality
All employees and partners have signed a confidentiality agreement protecting your personal data in accordance with EU law regarding GDPR.

Every Otterly.AI employee and partner has to sign a Data Access Policy that binds them to the terms of our data confidentiality policies.

Payment processing & PCI compliance
All credit card payments paid to Otterly.AI are processed by our payment partner Stripe. Find more information about their security protection and PCI certification on their Security page. We have no access to your credit card information.