Robust data encryption
We encrypt your data at rest, including emails and calendar events, using 256-bit AES encryption in storage and 256-bit SSL/TLS encryption in transit. Our database is hosted in a Virtual Private Cloud with Amazon Web Services (AWS). AWS follows top IT security standards, including SOC 3, PCI DSS Level 1, and MTCS Level 3. Furthermore, we also encrypt email and calendar event data at the column level in-memory using 128-bit AES encryption. Lastly, to ensure the security of our database, we rotate our encryption keys regularly.
Network security
We divide our systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Affinity’s production website. All systems in our infrastructure use firewalls to restrict access from external networks and between systems internally. To mitigate both internal and external risk, access is restricted to only the ports and protocols required for specific business needs.
Privacy and visibility
Affinity is built upon being able to view and understand how your firm interacts with other people and companies. As such, you are able to view email subjects, email recipients, calendar event titles, and calendar participants across your entire firm. However, the content of each email is never viewable by anyone who did not originally receive the email. In order to receive the full benefits of using our platform, we strongly encourage all users to remain with the default privacy settings. However, we recognize that some user may be more privacy-conscious, and do provide users the option to hide all of their email subjects and event titles from their team. Additionally, for more granular customization, we allow users to specify a list of hidden people. Any emails or events between those people and your team will not be displayed on our platform to anyone.
Secure authentication
We ensure user information and identity protection by adhering to OAuth 2.0 when connecting to Google Accounts. OAuth is the industry standard for authorizing secure access to external applications without providing them with your password. When connecting Affinity to Google via OAuth, we never receive or store your password, and you can revoke access to Affinity at any time. We store Microsoft Exchange credentials using AES 256-bit encryption. Credentials are only accessed when communicating with the Microsoft Exchange servers during standard authentication processes. If at any time, you would like to disconnect or change your Microsoft Exchange account from Affinity, you may contact us at support@affinity.co.
Automated audit logs
Any access to customer data in cases when customers need our assistance is exhaustively logged and regularly audited. No data is accessed unless we cannot provide support to our customers without doing so.
Internal data access
Our team signs a comprehensive privacy policy based on industry best practices, which define procedures and controls in place to appropriately limit access to customer data. Our developers do not have direct access to customer data, and the dataset our developers work with is entirely anonymized. This means that none of your data can be accessed by anyone other than members of your organization.
Uptime and durability
Encrypted backups are saved each day to ensure your data is safe and secure. We use high availability backups that are stored redundantly across multiple availability zones to minimize the chance of data loss. We also use third-party monitoring services to track Affinity’s availability, with engineers on call to address any outages.
Employee password policies
No live or anonymized data lives on employees’ computers. Nevertheless, we still enforce that all employee computers have full disk encryption enabled and use strong passwords. Each Affinity employee is provided with a 1Password account (a password manager) to enable secure password creation and storage.
Virtual Private Network
All access to systems in our infrastructure as well as customer data is limited by a Virtual Private Network (VPN). Strict password policies are enforced when authenticating with the VPN server and all communication is securely done over TLS 1.2. The authenticity of the VPN server is verified by a certificate issued by a publicly trusted Certificate Authority (CA).
Two-factor authentication
In addition to a password-protected VPN, two-factor authentication (2FA) is required to access our production infrastructure and customer data. 2FA is also required to communicate internally and externally, as well as to access internal tools such as for the purposes of task management, system monitoring, wikis, and source code version control.
Security and bug bounty program
We hold ourselves to the highest possible standard of security, and have an active bug bounty program to reward security researchers for their work in uncovering potential security issues in our product.
