At Observe.AI, security and privacy are the very underpinnings of what we do. We regularly evaluate our security procedures and technologies, including firewalls and encryption, to safeguard the security of your information. We strive to be transparent in our use and protection of data while keeping the underlying data secure. We integrate strong security and global data privacy practices and standards, including ISO 27001, PCI DSS, GDPR CCPA and SOC 2 Type 2, to strike a balance between low-security control friction and maintaining your employees’ and customers’ privacy rights.
Observe.AI leverages enterprise-grade security. Since customers entrust sensitive data to our care, keeping it secure and safe is our mission. We encrypt your data in transit and at rest. Our web applications undergo regular vulnerability assessments, penetration testing and security reviews. Our security and privacy architecture enable you to remain compliant with global standards. We are also ISO 27001:2013 certified. Amazon Web Services provide Observe.AI’s computing infrastructure.
We classify data based on sensitivity and protect data using risk-based controls. We encrypt data when transiting public networks and at rest. We limit access to data by role-based access control (RBAC), multifactor authentication and where appropriate, extensive logging. We monitor our networks on an operations and security level 24/7, leveraging our global team.
Observe.AI uses Amazon Web Services (AWS), exclusively, for the hosting of staging and production environments. Which provides almost 100% uptime for our servers.
We employ a secure development life cycle with inbuilt security controls. All customer data is encrypted both in transit and at rest using AES-256. For AWS S3 we support per customer dedicated S3 buckets with unique encryption keys.
We perform internal and external penetration testing regularly, Observe.AI is committed to conducting external penetration testing on an annual basis by a specialized external team. The executive summaries are available upon request to customers. Additionally, we use multiple Vulnerability scanning services & tools to continuously scan our application for any vulnerability, both from outside and inside, weekly/monthly/quarterly/annually.
We employ multiple solutions to provide continuous threat intelligence and vulnerability testing, with real-time alerting. Static and dynamic code analysis is a core component of our continuous integration and delivery software development approach. Also, we use the best endpoint security, and it gets updated and scans done daily for any anomaly.
We have a dedicated internal security team that is responsible for reviewing, updating, testing and maintaining our security and privacy controls. They also lead our preparations for new certifications, handling security threats, and assessing new vendors.
All engineering projects must go through architecture reviews and receive sign off from the security team before work can begin.
Engineers are required to complete a security review checklist as a part of the software development life cycle for all code changes. We have implemented, and regularly review, our Secure Software Development Life Cycle(SSDLC), so that security is encountered at every stage of development. We use both SAST and DAST in our security code review, which helps us to remove bugs as early as possible.