We encrypt data in transit to users using a standard SSL/TLS certificate. This prevents intermediate attackers from intercepting user data. All user data is stored in a SOC 1 Type II, SOC 2 Type I, and ISO 27001 certified Amazon AWS Datacenter. We also encrypt data at rest in both primary databases and all backup data snapshots using industry standard AES-256 encryption. This prevents access to user data by any attacker who might somehow still gain access to Amazon’s highly secured datacenters.
Physical Infrastructure and Security
Our hosting provider Amazon Web Services (AWS) adheres to the strictest data protection certifications. AWS allows us to be fully scalable as your workloads evolve, and features robust security components such as disaster recovery, data storage, and data backup capabilities.
More information regarding our highly reliable AWS infrastructure and its certifications can be found
here. Amazon datacenters have extremely robust physical security systems in place to protect your data. You can read the AWS Whitepaper
Who has access to your information?
SeamlessGov takes customer data security and privacy seriously. Access to your user data is restricted to the following parties:
1) Your own registered users on your account, corresponding to their assigned customer data and with assigned permissions.
2) SeamlessGov Success Managers, only to the extent necessary and authorized by you, to service your account.
3) SeamlessGov corporate officers, to the extent required by law or to service your account.
4) SeamlessGov Engineers. Only the CTO (and in emergencies, SREs) have access to customer data to the minimal extent necessary and required to carry out their employment duties, such as operating, administering, or debugging the product.
5) Third-party contractors, to the extent they produce product components or service your account on our behalf.
SeamlessGov employees and contractors handling customer data are required to complete necessary requirements (i.e. training) in accordance with the policies specified in the company’s Code of Conduct. This document outlines SeamlessGov’s expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. The SeamlessGov Code of Conduct is available upon request.
We support password-based, SAML, and AD Authentication. Multifactor authentication is not supported out of the box, but is available with implementation. Our API uses a key-based authentication mechanism. All user sessions are timed out automatically, and all authentication data is encrypted. All passwords are hashed and salted using industry-standard bcrypt.
Policies and Procedures
Backing Up Your Data
We host our databases on Amazon RDS (Relational Database Service). The database constantly retains an up-to-date, encrypted copy of your data. Complete snapshots are made daily, and point-in-time restoration of data is generally possible to within 10 minutes.
Data copies are encrypted, and stored in the Amazon US West datacenters. All data is stored in the US. You can learn more about security measures for AWS datacenters here.
Legal Hold Request Process
We will respond to legal requests in a timely manner, based on the extent, scope, and urgency of each individual request. We will retain information pertaining to a legal hold in a separate database for integrity.
Disaster Recovery Process
The likelihood of a datacenter outage is extremely small. However, in the case of a disaster-related datacenter failure, we maintain backups of our code and databases and can re-deploy SeamlessGov as soon as possible, given the extent of the present incident, and assuming hosting services are restored after the disaster.
Data Corruption/Breach Management
Because of our infrastructure, data corruption is highly unlikely. In the event of data corruption, SeamlessGov will offer remediation as per our
In the unlikely event of a breach we will issue a full lockdown of services while we investigate the source and scope. We will notify our customers within 24 hours via e-mail providing relevant details, and will continue to send regular updates as new information is obtained.
Disposing of Failed Data Storage Devices and End-of-Life Hardware
Amazon AWS manages all hardware. When a storage device has reached the end of its useful life or fails to securely store data, AWS initiates a decommissioning process that ensures customer data are not exposed to unauthorized individuals.
AWS uses the techniques detailed in DoD 5220.22-‐M (“National Industrial Security Program Operating Manual“) or NIST 800-‐88 (“Guidelines for Media Sanitation”) to destroy data, as part of the decommissioning process.
HIGH STANDARD PERFORMANCE AND SECURITY
Our SLA (Service Level Agreement) for uptime is 99.9%. We ensure minimal downtime, amounting to less than nine hours per year, and if we fail to deliver, remediation is available as per our