The Amend platform runs solely on the Amazon Web Service (AWS) platform spread across a number of geographical regions to allow users a choice of location, high availability & disaster recovery.
With a layered approach to security and threats, Amend uses services a variety of AWS products and follows Amazon’s best practice recommendations.
Server access is restricted in private subnets with the configuration of both security (stateful firewall) and network ACL (stateless) for both inbound and outbound traffic.
Servers are based on AWS Role security and are split by instance responsibility, communication between our instances internally and externally is transmitted end to using SSL.
Access to servers is via application and HTTPS via users with valid tokens, licences, access rights or via IP restricted VPN with MFA.
3rd party data sources (Integrations, cleaning providers, marketing system) connections are managed at server level over SSL.
The Amend platform is available for customers in a number of AWS Regions. When a customer signs up to Amend, they can choose which region they want to store and process their data in. Amend currently has 5 regions operating which include
Asia Pacific (Australia), AWS ap-southeast-2
Asia Pacific (India), AWS ap-south-1
Europe (Germany), AWS eu-central-1
North America (Canada), AWS ca-central-1
North America (USA), AWS us-east-1
A has signed with Amazon the AWS Data Processing Addendum, which includes the Model Clauses
Where Amend acts as a data processor on behalf of the data controller the following sub processors are used to assist in delivering services.
Amazon Web Services, Inc
Google Cloud Services
Amend uses a commercially reasonable selection process to evaluate the security, privacy and confidentiality practices of sub processors and minimises sub processor use to a minimum.
All data is accessed in the context of the logged in user and record and field level security is maintained at all times.Users/customers at all time are in control of assigned tokens and can revoke at any time.
Data Transmission and Storage
All communication with Amend occurs via TLS v1+ connections. Client data is encrypted at rest.
Client data required to deliver the service is stored for the period of the contract. Clients can delete data from the platform portal. Upon contract termination customer data is destroyed after 30 days.
Backup data is retained for 30 days.
Application initiated requests for data access pass through multiple application levels to validate that the user is authenticated, licenced and belongs to the customer associated with the data and has the permissions to view/edit as requested.
Only upon all checks being successful is data returned.
Administrative access to the production environment is locked down to a few select senior employees via IP restricted VPN requiring multi factor authentication.
Logging & Monitoring
All application layers and processing transactions and system requests are logged and monitored. Infrastructure access is monitored by a number of AWS products.
Incident Response & Disaster Recovery
The Amend platform is entirely cloud based. Core services are redundant across multiple data centres and we rely on the BC/DR capabilities of AWS.
In the case Amend determined that any customer information was compromised, Amend will immediately notify the customer primary contact and the relevant supervisory authority, if relevant, within 72 hours.
Amend implements security consideration at design time and employs best practice secure coding principles (OWASP) with extensive employee training. Amend runs multiple development, testing, staging environments which contain no client data. Transition of code between environments is subject to peer review and software based analysis before continuous integration. Application and source code is scanned by vulnerability detectors and we are subject to 3rd party security reviews and penetration testing.