Security Policy
We enable our customers to focus on their video applications without worrying about infrastructure, scaling, security, and ops. The Impossible Software platform protects customers from threats by employing strict security controls at every layer from physical to application level. Our team can rapidly deploy security updates to keep customer applications protected.
Shared Responsibility
While we manage and provison infrastructure, software and services in a safe and secure manner, it is your responsibility to safeguard access to your account. Impossible Software provides a number of ways for you to identify yourself and securely access your account. A overview of your credentials can be found on the API Keys and Security page under Your Account.
Confidentiality
We place strict controls over our employees’ access to the data you and your users make available via the Impossible Software services, as more specifically defined in your agreement with Impossible Software covering the use of the Impossible Software services ("Customer Data"), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of the Impossible Software services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Impossible Software services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
Security Assessments and Compliance
Data Centers
Our physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
ISO 27001
SOC 1/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
PCI Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)
We use payment processor Stripe for encrypting and processing credit card payments. Stripe is PCI Level 1 compliant.
Physical Security
Impossible Software utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.
For additional information see: AWS Security
Network Security
Firewalls
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Impossible Software utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port Scanning
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
Data Security
Data in Transit Security
We provide HTTPS enabled endpoints for all API access and HTTS/SSL connections to databases and Amazon AWS Services to protect sensitive data transmitted to and from applications.
Data at Rest Security
Customers with sensitive data can enable encryption for all data within databases to meet their data security requirements. Data are encrypted using standard AES 256 bit encryption and keys are subject to our Key Management Infrastructure.
You may choose to use certain features which do not encrypt related data at rest. These features are documented explicitly.
Data Retention and Destruction
You have the freedom to define what data your applications store and the ability to purge data from your databases to comply with your data retention requirements. If you deprovision an application and the associated database, we maintain the database’s storage volume for one week after which time its automatically destroyed rendering the data unrecoverable.
Decommissioning hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure. AWS uses techniques outlined in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data.
Business Continuity
Availability
AWS provides the flexibility to place instances and store data within multiple geographic regions as well as across multiple Availability Zones within each region. Each Availability Zone is designed as an independent failure zone. This means that Availability Zones are physically separated within a typical metropolitan region. In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability Zones are all redundantly connected to multiple tier-1 transit providers.
Our software applications are deployed in multiple availability zones and multiple regions.
Disaster Recovery
Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up nightly. The Operations team is alerted in case of a failure with this system. Backups are fully tested at least every 90 days to confirm that our processes and tools work as expected.
Backup
Databases are snapshotted once a day and the last 5 backups are kept. Customer assets are store redundantly in Amazon's S3 service.
Logging
Impossible Software maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about the Impossible Software services. These logs are analyzed for security events via automated monitoring software, overseen by the security team.
Incident Management & Response
In the event of a security breach, Impossible Software will promptly notify you of any unauthorized access to your Customer Data. Impossible Software has incident management policies and procedures in place to handle such an event.