CommandBar Security Overview
If CommandBar were anything but extremely focused on security and privacy, we would lose the trust of our customers and cease to exist as a company.
We are extremely focused on a product that is secure, respects the privacy of users and end users, and is transparently configurable. See below for more information about how this translates into concrete practices.
We are SOC 2 Type II certified (full report available upon request). Over 90% of SOC II examinations cover only the Security trust service criteria (i.e., certification); we have taken the extra step to obtain the Security, Confidentiality, and Availability certifications.
Data stored in CommandBar Context – to personalize the CommandBar experience for end users – never leaves the client side. CommandBar can be configured to record a variety of events to help customers understand how their end users are using CommandBar (and their application). All events are optional and configurable by the customer.
CommandBar runs on Amazon Web Services (AWS) infrastructure. All CommandBar machines limit access to the least number of people necessary to keep them optimally operational. Deploys are automated to all machines, and all machines with access to CommandBar data have SSH disabled to prevent any unauthorized access to customer data.
- Data Hosting and Storage: CommandBar assets are hosted in AWS facilities in the USA (us-east-2 region).
- Failover and DR: CommandBar infrastructure and data are replicated across AWS availability zones and will continue to work in the event one of those availability zones fails.
- Virtual Private Cloud: All of our servers reside within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from accessing our internal network.
- Backups and Monitoring: Our production and event data is backed up daily.
- Disaster Recovery: All of our infrastructure and data is spread across multiple AWS availability zones. Should any one of those data centers fail, CommandBar services will be uninterrupted.
- Permissions and Authentication: Access to customer data is limited to authorized employees who require it for their job. CommandBar is served 100% over https. There are no corporate resources or additional privileges from being on CommandBar's network. We utilize 2-factor authentication (2FA) and strong password policies on all company systems (including GitHub, Google, and AWS) to ensure access to theseservices is protected.
- Encryption: All data sent to or from CommandBar is encrypted in transit using 256-bit encryption. Our API and application endpoints are served via TLS/SSL only. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
- Penetration Testing, Vulnerability Scanning, and Responsible Disclosure Program: Twice yearly CommandBar engages third-party security experts to perform detailed penetration tests on the CommandBar Bar, Editor, Web Application, and Infrastructure. We also use third party security tools to continuously scan for vulnerabilities. Our team responds promptly to issues raised. CommandBar also runs a ‘responsible disclosure’ program, which gives security researchers a platform for testing and submitting vulnerability reports.
- Incident Response: CommandBar uses a detailed protocol for handling security events. This protocol includes escalation procedures, rapid mitigation, and post mortem. All employees and contractors are informed of our incident response policies, and we require acceptance prior to employment.
If you think you might have found a security vulnerability, please get in touch with our security team at firstname.lastname@example.org.
If you have any questions, concerns, or comments unrelated to security, please contact us at email@example.com.