We take security very seriously at Aflorithmic Labs (trading as "AudioStack"). The security of customer data, of our products, and our services are a top priority. AudioStack's best-in-class security starts at the foundational level and includes internal threat models, routine internal and external security assessments, and secure software development.
AudioStack uses best-in-class security practices to maintain a high level of security.
AudioStack’s systems, processes, and controls are regularly audited as part of our SOC 2 compliance programmes. SOC 2 Type II reports are produced annually and can be provided upon request.
AudioStack’s suite of information security policies and their overarching design are aligned with the NIST Cybersecurity Framework. Our security practices meet the standards of our enterprise customers who must provide secure products.
We continuously implement evolving privacy and data protection processes, procedures, and best practices under all applicable privacy and data protection regimes. For more information, see the following resources:
- Data Process
Security is one of AudioStack’s guiding principles for all our product design and infrastructure decisions. We offer a range of features to help our users better protect their AudioStack data.
We mandate the use of HTTPS for all services, including our public website and the Platform. We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers interact with AudioStack only over HTTPS.
All data sent to or from AudioStack is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Our security teams test our infrastructure regularly by scanning for vulnerabilities and conducting penetration tests and red team exercises. We hire industry-leading security companies to perform third-party scans of our systems, and we immediately address their findings. Our servers are frequently and automatically replaced to maintain server health and discard stale connections or resources. Server operating systems are upgraded well in advance of their security end of life (EOL) date.
AudioStack takes a zero-trust approach to employee access management. Employees are authenticated leveraging SSO, two-factor authentication (2FA) using a hardware-based token, and mTLS through a cryptographic certificate on AudioStack-issued machines. After connecting to the network, sensitive internal systems and those outside the scope of the employee’s standard work require additional access permissions.
We monitor audit logs to detect abnormalities and watch for intrusions and suspicious activity, and also monitor changes to sensitive files in our code base. All of AudioStack’s code goes through multi-party review and automated testing. Code changes are recorded in an immutable, tamper-evident log. We constantly collect information about AudioStack-issued laptops to monitor for malicious processes, connections to fraudulent domains, and intruder activity. We have a comprehensive process for allowlisting what software can be installed on employee laptops, preventing the installation of non-approved applications.
Our developers work with security experts early in a project’s life cycle. As part of our Security Review process, security experts develop threat models and trust boundaries that help guide the implementation of the project. Developers use this same process to make changes to sensitive pieces of code.
We require every AudioStack employee to complete security education annually, and we provide secure software development training to AudioStack engineers. We run internal phishing campaigns to test everyone at AudioStack on recognising phishing attempts and flagging them to the appropriate security team.
We have a formal process for granting access to systems and information; we regularly review and automatically remove inactive access. Actions within the most sensitive areas of the infrastructure need a human review. To enable best practices for access control, our security experts build primitives to assist AudioStack teams in implementing the principle of least privilege. To minimise our exposure, we have a data retention policy that minimises the data we keep while complying with regulatory and business requirements.
We maintain a vulnerability disclosure and reward (“bug bounty”) programme that compensates independent security researchers who help us keep our users safe. By submitting a security bug or vulnerability to AudioStack through [email protected] you can be eligible for a reward.
Updated 3 days ago