SOC 2 Compliant
The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.
Additional information can be found here.
Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
Additional information can be found here.
GDPR compliant
The General Data Protection Regulation (GDPR), which takes effect this week on May 25th, is a comprehensive European Union privacy regulation that gives EU citizens and other individuals in the EU authority over their own personal data. The GDPR seeks to harmonize existing data protection laws across Europe and standardize data protection rules. GDPR is a significant step in an evolving quest to protect privacy rights.
Additional information can be found here.
TrustArc
Affinity partnered with TrustArc, the leader in privacy compliance and data protection for over two decades, to ensure GDPR compliance in 2018. Affinity is committed to on-going efforts to ensure our customer's data is safe and secure.
Additional information can be found here.
Robust data encryption
We encrypt your data at rest, including emails and calendar events, using 256-bit AES encryption in storage and 256-bit SSL/TLS encryption in transit. Our database is hosted in a Virtual Private Cloud with Amazon Web Services (AWS). AWS follows top IT security standards, including SOC 3, PCI DSS Level 1, and MTCS Level 3. Furthermore, we also encrypt email and calendar event data at the column level in-memory using 128-bit AES encryption. Lastly, to ensure the security of our database, we rotate our encryption keys regularly.
Network security
We divide our systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Affinity’s production website. All systems in our infrastructure use firewalls to restrict access from external networks and between systems internally. To mitigate both internal and external risk, access is restricted to only the ports and protocols required for specific business needs.
Privacy and visibility
Affinity is built upon being able to view and understand how your firm interacts with other people and companies. As such, you are able to view email subjects, email recipients, calendar event titles, and calendar participants across your entire firm. However, the content of each email is never viewable by anyone who did not originally receive the email. In order to receive the full benefits of using our platform, we strongly encourage all users to remain with the default privacy settings. However, we recognize that some user may be more privacy-conscious, and do provide users the option to hide all of their email subjects and event titles from their team. Additionally, for more granular customization, we allow users to specify a list of hidden people. Any emails or events between those people and your team will not be displayed on our platform to anyone.
Secure authentication
We ensure user information and identity protection by adhering to OAuth 2.0 when connecting to Google Accounts. OAuth is the industry standard for authorizing secure access to external applications without providing them with your password. When connecting Affinity to Google via OAuth, we never receive or store your password, and you can revoke access to Affinity at any time. We store Microsoft Exchange credentials using AES 256-bit encryption. Credentials are only accessed when communicating with the Microsoft Exchange servers during standard authentication processes. If at any time, you would like to disconnect or change your Microsoft Exchange account from Affinity, you may contact us at support@affinity.co.
Automated audit logs
Any access to customer data in cases when customers need our assistance is exhaustively logged and regularly audited. No data is accessed unless we cannot provide support to our customers without doing so.
Internal data access
Our team signs a comprehensive privacy policy based on industry best practices, which define procedures and controls in place to appropriately limit access to customer data. Our developers do not have direct access to customer data, and the dataset our developers work with is entirely anonymized. This means that none of your data can be accessed by anyone other than members of your organization.
Uptime and durability
Encrypted backups are saved each day to ensure your data is safe and secure. We use high availability backups that are stored redundantly across multiple availability zones to minimize the chance of data loss. We also use third-party monitoring services to track Affinity’s availability, with engineers on call to address any outages.
Employee password policies
No live or anonymized data lives on employees’ computers. Nevertheless, we still enforce that all employee computers have full disk encryption enabled and use strong passwords. Each Affinity employee is provided with a 1Password account (a password manager) to enable secure password creation and storage.
Virtual Private Network
All access to systems in our infrastructure as well as customer data is limited by a Virtual Private Network (VPN). Strict password policies are enforced when authenticating with the VPN server and all communication is securely done over TLS 1.2. The authenticity of the VPN server is verified by a certificate issued by a publicly trusted Certificate Authority (CA).
Two-factor authentication
In addition to a password-protected VPN, two-factor authentication (2FA) is required to access our production infrastructure and customer data. 2FA is also required to communicate internally and externally, as well as to access internal tools such as for the purposes of task management, system monitoring, wikis, and source code version control.
Security and bug bounty program
We hold ourselves to the highest possible standard of security, and have an active bug bounty program to reward security researchers for their work in uncovering potential security issues in our product.
