At YCharts, we know that customer data is valuable and needs to be safeguarded. As a cloud-based SaaS company, customers have entrusted us to protect their information – a responsibility we take very seriously. From our C-suite leaders to the employees that make YCharts everything that it is, we take the utmost care and actively work to prioritize and protect our customers’ data through comprehensive security program policies, procedures, practices, and controls.
Security Practices in Place
To ensure the availability of data, both for YCharts and YCharts’s customers, complete backups are performed daily to assure that data remains available when it’s needed and in the case of a disaster. YCharts stores customer data in a secure production account in AWS, using a combination of RDS, Elasticache, and S3 databases. By default, Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects.
To protect the confidentiality, integrity, authenticity, and nonrepudiation of information, YCharts utilizes cryptographic controls to ensure our client data is always encrypted at rest and in transit. All external data transmission is encrypted end-to-end using AES-256 256-bit keys managed by YCharts. This includes, but is not limited to, cloud infrastructure, third-party vendors, and applications. All internet and intranet connections are encrypted and authenticated using TLS 1.2, this includes using a strong protocol, a strong key exchange, and a strong cipher.
YCharts uses AWS ClouldWatch, Datadog, and PagerDuty to monitor the entire cloud service operation. If an alert is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action. YCharts uses a security agent to monitor production systems. The agents monitor system activities, generate alerts on suspicious activities, and report vulnerability findings to a centralized management console.
Business Continuity and Disaster Recovery
YCharts leverages Amazon Web Services (AWS) for hosting its production and staging environment. Data is replicated across multiple US region availability zones for redundancy, disaster recovery, and to ensure high availability for our users. YCharts has policies and procedures in place to ensure that we continue to provide critical services in the disruption resulting from a disaster.
Risk and Vulnerability Management
In an effort to stay ahead of the ever-changing security landscape, YCharts conducts an annual Penetration Test of our web application (View a copy here). Identified vulnerabilities are prioritized and remediated based on severity and business impact.
YCharts conducts monthly scans of our production application for vulnerabilities to identify potential vulnerabilities that could impact our systems. In addition, members of the Security Committee meet to proactively search for and act upon security bulletins and alerts that are applicable to the company’s IT infrastructure. All vulnerability findings must be reported, tagged, and tracked to resolution in accordance with the SLAs defined.
YCharts hosts a bug bounty program to allow for the reporting and disclosure of vulnerabilities discovered by external entities. This program assists in identifying and resolving vulnerabilities and flaws before they can be exploited.
Secure Software Development
YCharts has implemented policies, procedures, and processes to provide guidance to support the approval, planning, and life-cycle development of YCharts software systems aligned with the Information Security Program. YCharts has established and maintains processes for ensuring that its computer applications and systems follow an SDLC process that is consistent and repeatable, and maintains information security at every stage.
System Access Control
Access to YCharts systems and applications is limited for all users, including but not limited to workforce members, volunteers, business associates, contracted providers, and consultants. Access by any other entity is allowable only on a minimum necessary basis. All users are responsible for reporting an incident of unauthorized use or access to the organization’s information systems. All access to YCharts systems and services is reviewed and updated on a monthly basis to ensure proper authorizations are in place commensurate with job functions. Access to YCharts Production and Staging environments requires strong multi-factor authentication and VPN access.
YCharts’ Information Security Policy has been developed to establish a general approach to information security and the minimization of information misuse, compromise, or loss; document security processes and measures; uphold ethical standards and meet the company’s regulatory, legal, contractual, and other obligations; control business risk; and ensure that the appropriate company image and reputation are presented. (View a copy of our Information Security Policy here)
YCharts has implemented policies, procedures, and processes to establish controls to ensure the detection of security vulnerabilities and incidents, as well as quick a reaction and response to security breaches.
Data security is a top priority at YCharts. Our security and compliance team is dedicated to creating and maintaining secure systems, processes, and controls at every level of the company. YCharts complies with SOC 2 Type I & Type II standards as set forth by the American Institute of Certified Public Accounts (AICPA).
We welcome input from all parties with regard to any security vulnerabilities that may be discovered. Our security & compliance team will review and respond to any reports submitted within 30 business days of submissions received using the form below.
Note that the following types of reports/attacks are out of scope, and are not limited to:
– DOS attacks
– Brute force attacks
– Use of scanners or other automated tools to find vulnerabilities
– Attacks requiring MITM or physical access to a user’s device.
– Previously known vulnerable libraries without a working Proof of Concept.
– Social engineering attacks, including, but not limited to: phishing, email auth (SPF, DKIM, etc.), hyperlink injection in emails
– Public Zero-day vulnerabilities that have had an official patch for less than 1 month
– Disclosure of known public files or directories, (e.g. robots.txt)
– Issues that require unlikely user interaction
– Vulnerabilities only affecting users of outdated or unpatched browsers