Compliance
People, processes, and technology are all considerations in how we approach information security and data privacy. To validate the effectiveness of our internal security controls, we conduct a periodic review of our controls and infrastructure like information security management, risk assessment, oversight, and third-party risks, among other principles, against best practices set by compliance standards like SOC 2, a framework that is designed explicitly for software-as-a-service (SaaS) providers.
We complement our compliance guardrails by hosting our services in Amazon Web Services, a state-of-the-art data center utilizing innovative architectural and modern engineering approaches. Amazon’s data centers have been validated for compliance against several strict standards, regulations, and assorted frameworks. To learn more about Amazon’s Compliance, you can learn more here: https://aws.amazon.com/compliance.
Privacy
GDPR
The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law that took effect on May 25, 2018.
Under GDPR, SwiftCX is a data processor; therefore, we provide support to data controllers to enable them to fulfill their obligations under GDPR and will refer any direct inquiry from consumers and end-users to the respective data controller for handling.
SwiftCX has taken various steps to give customers assurance that the use of SwiftCX’s products and services is consistent with the GDPR:
Data Protection Agreements are established with relevant customers and third parties to ensure appropriate processing and safeguards are in place for EU personal data.
We have standardized processes and technical capabilities in order to help our customers respond to data subject requests for access, rectification, or erasure of personal data maintained by SwiftCX.
We apply a risk-based approach in selecting and monitoring all third-party vendor relationships.
Visitors to the SwiftCX platform/app:
The privacy of our users is important to us. We do not track any individual people. As a user of our platform:
No personal information is collected outside the explicitly provided information by the end-user.
No information such as cookies is stored in the browser.
No information is shared with, sent to, or sold to third parties.
No information is shared with advertising companies.
No information is mined and harvested for personal trends.
No information is monetized.
Application & Product Security
SwiftCX’s security model is an end-to-end process, spanning user and application authentication, secure development practices, secure storage, and managed services on top of the industry-leading Amazon Web Services platform.
Authentication
Users can authenticate via SSO using a G-Suite identity. We don’t access or store user credentials when authenticating and using SwiftCX via this approach.
When authenticating and accessing using Username and Password credentials set by our users, the passwords and all authenticated credentials are stored and handled using industry-leading Amazon Cognito, an AWS service. Cognito is compliant with numerous compliance programs like SOC, FedRAMP, and HIPAA - more details are here: https://docs.aws.amazon.com/cognito/latest/developerguide/compliance-validation.html
SwiftCX APIs communicate over encrypted channels and are only accessible to verified users. This is handled using AWS-managed services that are compliant with programs like SOC, FedRAMP, and HIPAA - more details are here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-compliance.html
Access Controls & Information Security
Our system has architecture and infrastructure considerations that logically separate customer data through access control based on company, users, and roles. Our application has extensive access control lists, authentication, and authorization mechanisms that only allow data access for authorized users.
All customer accounts are assigned a unique GUID which will allow access to only services and data consistent with the privileges assigned.
We use isolated networking infrastructure and inbound traffic restrictions from untrusted zones to protect your information during processing in our AWS servers.
We follow the least privileged access model with multi-factor authentication and access logging.
We pull the minimum necessary data from customer systems to enable our product functionality over encrypted channels and store them securely.
Resilient & Secure Architecture
Redundant and Scalable Infrastructure
SwiftCX data and services are deployed across geographically distributed availability zones in the United States and maintained by an industry-leading service provider (Amazon Web Services).
Scalable infrastructure distributes application load across resources and supports high availability.
Properly isolated network resources restrict inbound traffic from untrusted zones.
Capacity thresholds are defined to provide additional resources to meet spikes in application demand automatically.
Encryption
We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocol and SHA2 signatures for data transmission between clients and SwiftCX service; and between SwiftCX services over public networks.
Access controls and AWS infrastructure measures to protect application and customer data at rest.
Threat Monitoring
Technology and best practices are used to respond to any network intrusion, command and control attempts, or potential system compromise.
We have security incident response processes, including appropriate diagnosis procedures, root cause analysis, impact assessment, and containment.
External communications can be made in a timely manner to impacted customers, third parties, and authorities.
Recovery Capabilities
Data is replicated and backed up periodically to support continuity in the event of an outage or data loss.
Complete data backups are performed daily, with proactive retention periods observed.
Backup restoration best practices are followed and tested regularly to confirm the efficacy of our processes.
Our disaster recovery strategy uses best practices, with appointed responsible personnel supported through periodic reviews.
Secure build
Design & Build Practices:
A Software Development Lifecycle (SDLC) policy is used to guide engineers on appropriate development practices and change control.
Code is evaluated for design, functionality, and expected security exposures.
Changes to the source code are governed by a standardized change management process and infrastructure using GitHub best practices.
In addition to testing, our code is peer-reviewed before being deployed to production.
Personnel Practices
Recruitment & Selection Practices:
We rely on comprehensive background verification and employment history when selecting candidates for employment opportunities with SwiftCX.
Employees are required to sign non-disclosure and confidentiality agreements upon joining SwiftCX.
Access Controls:
Only authorized employees are granted access to production systems to fulfill their responsibilities.
Access is regularly reviewed for business justification.
If you have questions about SwiftCX security practices or believe a security incident has occurred, please contact us.