Atomic jolt

Information Security

Security is a top priority for Atomic Jolt and we've built a comprehensive security program to reflect our commitment. We have a formal, documented Information Security Management System which incorporates a number of Policies, Standards and Procedures to help protect our important data, including that of our customers, and our production systems.

External Security Attestations and Compliance

  • Atomic Jolt has been SOC 2 Type 2 certified since August of 2022 and will maintain that certification via independent, third-party audits annually. Contact us for detailed reports and documentation.
  • We follow Higher Education Community Vendor Assessment Toolkit ("HECVAT") guidelines.
SOC 2 Accredation Logo
SOC Logo

Data Hosting

  • All of our systems are hosted within Amazon Web Services ("AWS") secure data centers, which have been accredited under ISO 27001, SOC 1 and SOC 2, PCI Level 1, FISMA and Sarbanes-Oxley (SOX), to name just a few certifications.

Human Resources and Awareness

  • Our employees and contractors undergo background checks prior to starting work with Atomic Jolt.
  • Each individual must attend security awareness training upon hire and annually thereafter.
  • All Atomic Jolt employees are required to comply with our policies relevant to their scope of work, including security and data privacy policies.
  • Our standard work contract includes confidentiality clauses to protect our customers' data.

Access Control

  • Atomic Jolt follows all best practices with access control, including the principle of least privilege when granting access to Atomic Jolt systems and customer data.
  • We ensure that each individual has a unique username to ensure full accountability for actions.
  • Our password security forces complexity and minimum character length in conjunction with the most recent National Institute of Standards and Technology ("NIST") recommendations.
  • Multifactor authentication is enforced where technically supported.
  • Privileged accounts are highly restricted and carry explicit guidelines for usage.

Endpoint Security

  • Atomic Jolt laptops are locked automatically after 15 minutes of inactivity and employees are made aware of their responsibilities to protect access to the laptops.
  • Our laptops are centrally-managed, with enforced security policies, limited administrative rights and centralized patching controls.
  • Our laptops have centrally-managed commercial anti­virus with tamper-protect installed.
  • Local administrator rights are highly restricted.

Remote Access

  • Atomic Jolt uses multifactor authentication with role-based access controls for VPN-based remote access sessions to production systems.
  • Access to Atomic Jolt collaboration tools are restricted with single-sign on and multifactor authentication.

Network Security

  • Atomic Jolt's production networks, all located in AWS, are secured through the combination of virtual firewalls and stateful AWS security groups, minimizing all permitted traffic to the least possible.
  • All events related to administrative activities and access to customer data are centrally logged.

Vulnerability Management and Penetration Testing

  • Atomic Jolt has robust policies and procedures to ensure that we regularly apply patches to our systems.
  • We leverage centralized patch management and our vulnerability management team meets on a regular basis to keep a close eye on our patch statuses.
  • Atomic Jolt external-facing sites are automatically scanned for vulnerabilities on a monthly basis.
  • Internal vulnerability scanning is performed weekly using AWS Inspector.
  • We have an automated compliance tool which constantly scans for any drift from our approved settings in AWS as well as our code management and project tools.
  • Independent, third-party penetration testing is conducted no less often than annually on the production systems.

Secure Development

  • Atomic Jolt's Secure Development Lifecycle requires automated Static Code Analysis prior to code moving into production.
  • Our SDLC also requires developers to undergo annual secure developer training to address the latest threats.
  • We require peer reviews/management approval/QA testing prior to code moving from our Development and Staging areas into Production.

Encryption at Rest

  • Data at rest, including backup data, is AES 256-bit encrypted with encryption keys managed by AWS KMS.
  • Our laptops have enforced full-disk encryption.
  • Mobile Devices with access to Atomic Jolt data require Google Mobile Device Management policies to ensure that Atomic Jolt data remains separate and encrypted.

Encryption in Transit

  • All communication between our systems and you (or your customers) is encrypted in transit via HTTPS using TLS v1.2 or later.
  • Emails are automatically encrypted with TLS, where supported by the other party's server.

Backups

  • Atomic Jolt production data is backed up automatically, leveraging AWS redundancy options to include cross-region replication.
  • We perform annual Business Continuity and Disaster Recovery Testing walkthroughs.

Data Retention Policy

  • Your data lives in our systems for as long as you ask us to keep it there.
  • Our Data Retention Policy and Data Classification Policy govern the way we perform secure deletions for electronic data as well as physical media.
  • Our destruction procedures follow US DOD 5220.22-M best practices.