Security is a top priority for Atomic Jolt and we've built a
comprehensive security program to reflect our commitment. We have
a formal, documented Information Security Management System which
incorporates a number of Policies, Standards and Procedures to
help protect our important data, including that of our customers,
and our production systems.
External Security Attestations and Compliance
-
Atomic Jolt has been SOC 2 Type 2 certified since August of
2022 and will maintain that certification via independent,
third-party audits annually. Contact us for detailed reports
and documentation.
-
We follow Higher Education Community Vendor Assessment
Toolkit ("HECVAT") guidelines
Data Hosting
-
All of our systems are hosted within Amazon Web Services ("AWS")
secure data centers, which have been accredited under ISO 27001,
SOC 1 and SOC 2, PCI Level 1, FISMA and Sarbanes-Oxley (SOX), to
name just a few certifications.
Human Resources and Awareness
-
Our employees and contractors undergo background checks prior to
starting work with Atomic Jolt.
-
Each individual must attend security awareness training upon
hire and annually thereafter.
-
All Atomic Jolt employees are required to comply with our
policies relevant to their scope of work, including security and
data privacy policies.
-
Our standard work contract includes confidentiality clauses to
protect our customers' data.
Access Control
-
Atomic Jolt follows all best practices with access control,
including the principle of least privilege when granting access
to Atomic Jolt systems and customer data.
-
We ensure that each individual has a unique username to ensure
full accountability for actions.
-
Our password security forces complexity and minimum character
length in conjunction with the most recent National Institute of
Standards and Technology ("NIST") recommendations.
-
Multifactor authentication is enforced where technically
supported.
-
Privileged accounts are highly restricted and carry explicit
guidelines for usage.
Endpoint Security
-
Atomic Jolt laptops are locked automatically after 15 minutes of
inactivity and employees are made aware of their
responsibilities to protect access to the laptops.
-
Our laptops are centrally-managed, with enforced security
policies, limited administrative rights and centralized patching
controls.
-
Our laptops have centrally-managed commercial antiĀvirus with
tamper-protect installed.
-
Local administrator rights are highly restricted.
Remote Access
-
Atomic Jolt uses multifactor authentication with role-based
access controls for VPN-based remote access sessions to
production systems.
-
Access to Atomic Jolt collaboration tools are restricted with
single-sign on and multifactor authentication.
Network Security
-
Atomic Jolt's production networks, all located in AWS, are
secured through the combination of virtual firewalls and
stateful AWS security groups, minimizing all permitted traffic
to the least possible.
-
All events related to administrative activities and access to
customer data are centrally logged.
Vulnerability Management and Penetration Testing
-
Atomic Jolt has robust policies and procedures to ensure that we
regularly apply patches to our systems.
-
We leverage centralized patch management and our vulnerability
management team meets on a regular basis to keep a close eye on
our patch statuses.
-
Atomic Jolt external-facing sites are automatically scanned for
vulnerabilities on a monthly basis.
-
Internal vulnerability scanning is performed weekly using AWS
Inspector.
-
We have an automated compliance tool which constantly scans for
any drift from our approved settings in AWS as well as our code
management and project tools.
-
Independent, third-party penetration testing is conducted no
less often than annually on the production systems.
Secure Development
-
Atomic Jolt's Secure Development Lifecycle requires automated
Static Code Analysis prior to code moving into production.
-
Our SDLC also requires developers to undergo annual secure
developer training to address the latest threats.
-
We require peer reviews/management approval/QA testing prior to
code moving from our Development and Staging areas into
Production.
Encryption at Rest
-
Data at rest, including backup data, is AES 256-bit encrypted
with encryption keys managed by AWS KMS.
-
Our laptops have enforced full-disk encryption.
-
Mobile Devices with access to Atomic Jolt data require Google
Mobile Device Management policies to ensure that Atomic Jolt
data remains separate and encrypted.
Encryption in Transit
-
All communication between our systems and you (or your
customers) is encrypted in transit via HTTPS using TLS v1.2 or
later.
-
Emails are automatically encrypted with TLS, where supported by
the other party's server.
Backups
-
Atomic Jolt production data is backed up automatically,
leveraging AWS redundancy options to include cross-region
replication.
-
We perform annual Business Continuity and Disaster Recovery
Testing walkthroughs.
Data Retention Policy
-
Your data lives in our systems for as long as you ask us to keep
it there.
-
Our Data Retention Policy and Data Classification Policy govern
the way we perform secure deletions for electronic data as well
as physical media.
-
Our destruction procedures follow US DOD 5220.22-M best
practices.