Security
We take security very seriously at Aflorithmic Labs (trading as "AudioStack"). The security of customer data, of our products, and our services are a top priority. AudioStack's best-in-class security starts at the foundational level and includes internal threat models, routine internal and external security assessments, and secure software development.
Standards and regulations compliance
AudioStack uses best-in-class security practices to maintain a high level of security.
System and Organization Controls (SOC) reports
AudioStackβs systems, processes, and controls are regularly audited as part of our SOC 2 compliance programmes. SOC 2 Type II reports are produced annually and can be provided upon request.
NIST Cybersecurity Framework
AudioStackβs suite of information security policies and their overarching design are aligned with the NIST Cybersecurity Framework. Our security practices meet the standards of our enterprise customers who must provide secure products.
Privacy and data protection
We continuously implement evolving privacy and data protection processes, procedures, and best practices under all applicable privacy and data protection regimes. For more information, see the following resources:
- Privacy Policy
- Data Process
AudioStack product securement Security Features and Functionality
Security is one of AudioStackβs guiding principles for all our product design and infrastructure decisions. We offer a range of features to help our users better protect their AudioStack data.
HTTPS and HSTS for secure connections
We mandate the use of HTTPS for all services, including our public website and the Platform. We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers interact with AudioStack only over HTTPS.
Encryption
All data sent to or from AudioStack is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an βAβ rating on Qualys SSL Labsβ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Infrastructure safeguards
Our security teams test our infrastructure regularly by scanning for vulnerabilities and conducting penetration tests and red team exercises. We hire industry-leading security companies to perform third-party scans of our systems, and we immediately address their findings. Our servers are frequently and automatically replaced to maintain server health and discard stale connections or resources. Server operating systems are upgraded well in advance of their security end of life (EOL) date.
Corporate technology
AudioStack takes a zero-trust approach to employee access management. Employees are authenticated leveraging SSO, two-factor authentication (2FA) using a hardware-based token, and mTLS through a cryptographic certificate on AudioStack-issued machines. After connecting to the network, sensitive internal systems and those outside the scope of the employeeβs standard work require additional access permissions.
We monitor audit logs to detect abnormalities and watch for intrusions and suspicious activity, and also monitor changes to sensitive files in our code base. All of AudioStackβs code goes through multi-party review and automated testing. Code changes are recorded in an immutable, tamper-evident log. We constantly collect information about AudioStack-issued laptops to monitor for malicious processes, connections to fraudulent domains, and intruder activity. We have a comprehensive process for allowlisting what software can be installed on employee laptops, preventing the installation of non-approved applications.
Security posture maintenance
Our developers work with security experts early in a projectβs life cycle. As part of our Security Review process, security experts develop threat models and trust boundaries that help guide the implementation of the project. Developers use this same process to make changes to sensitive pieces of code.
Security is every AudioStack employeeβs job
We require every AudioStack employee to complete security education annually, and we provide secure software development training to AudioStack engineers. We run internal phishing campaigns to test everyone at AudioStack on recognising phishing attempts and flagging them to the appropriate security team.
Managing access control
We have a formal process for granting access to systems and information; we regularly review and automatically remove inactive access. Actions within the most sensitive areas of the infrastructure need a human review. To enable best practices for access control, our security experts build primitives to assist AudioStack teams in implementing the principle of least privilege. To minimise our exposure, we have a data retention policy that minimises the data we keep while complying with regulatory and business requirements.
Vulnerability disclosure and reward program
We maintain a vulnerability disclosure and reward (βbug bountyβ) programme that compensates independent security researchers who help us keep our users safe. By submitting a security bug or vulnerability to AudioStack through [email protected] you can be eligible for a reward.
You can find out the details of the Bug Bounty Program on this link Bug Bounty Program Rules
Updated 4 months ago