Introduction

Client portal software is critical to your business and we take security of customer data extremely seriously. We host Portal using comprehensively hardened infrastructure-as-a-service (IaaS) platforms from Amazon Web Services.

Product security

Authentication
Accessing any portal data is restricted to authorized users that are authenticated using the AWS standards-based Identity Provider. All identity and access management is done directly with AWS.

Permissions
Portal supports multiple permission levels for internal users and client users. Permission level changes can only be made by admins (internal admin users and client admin users).

Physical security

Portal production data is processed and stored within world-renowned data centers that use state-of-the-art multilayer access, alerting, and auditing measures.

System security

Servers and networking
All Portal servers and structured datastores use managed infrastructure services provided and secured by Amazon. Our web servers encrypt data in transit using the industry standard for HTTPS security (TLS 1.2) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256.

Storage
All persistent data is encrypted at rest using industry-standard AES-256 algorithms.

Operational security

Code Reviews and Production Deployment
All changes to source code are subject to automated testing and any that affect security require pre-commit code review by a qualified engineering peer that includes security, performance, and potential-for-abuse analysis.

All code is deployed to a staging environment for quality assurance and automated tests must pass prior to updating production services.

Service Levels, Backups, and Recovery
Portal infrastructure utilizes multiple and layered techniques for increasingly reliable uptime, including the use of load balancing and task queues. Ashby uses highly redundant datastores, rapid recovery infrastructure, and point-in-time backups making unintentional loss of customer data very unlikely.

Application security

Server and Client Hardening
All portal servers use AWS backed infrastructure which provide load balancing, auto-scaling, and application health monitoring to ensure portals are always running reliably.


The client side application uses several techniques to ensure portals are safe and that all requests are authentic, including using JSON-web token for managing sessions and using secure cookies.

Customer Payment Information
We use Stripe for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider.

Incident reporting

You can view our incident response plan here.