Sidr's Approach to Security
Updated August 12, 2021
We will always be transparent with you about our security practices, which we take very seriously. As such, we have published this guide to help you understand our approach.
Your Data is Physically Secure
Our applications, data stores, and application network are hosted by Amazon Web Services, in highly secure data center locations with industry-leading physical security and physical access controls.
Your Data is Encrypted
Encryption is enforced for data both at rest and in transit. All of our customer data is encrypted when it is stored. Backup data is stored with the same level of encryption integrity as primary data. Customer data is also encrypted while in transit, using only secure network protocols.
Your Data is Private
All customer data is owned by the customer that created it in the first place. A customer controls all access to their data, including but not limited to reading, writing, or deleting that data. We do not look into your account without your express permission.
Your Data is Electronically Secure
Customer data is stored in a database that uses only secure protocols for access and is completely segregated and independent from non-production environments. Database access is tightly blocked by a strict firewall and whitelists only the necessary applications by IP. Keys are rotated on a regular basis, and the details of every single access are logged. Security patches are applied as immediately as possible upon notification or discovery of a vulnerability.
Your Data is Backed Up
We make regular and redundant backups of your data. We implement a planned, automated, and diligently-followed backup plan with a declared RTO and RPO. Our backup system is specially designed to ensure smooth recovery in disaster cases.
People are Fully Trained
All of Sidr's employees and contractors undergo training on privacy and proper handling of customer data on a regular basis (annually, and ad hoc if there is even the slightest change in policy). All parties employed by Sidr are required to acknowledge and agree to Sidr's information security policy, with refreshes on an annual basis.
People require Additional Access Controls
All of Sidr's employees and contractors have their access tightly controlled and logged. Multi-factor authentication is enforced for all. Additionally, a role-based access control layer has been implemented so that each specific part of the data stored is granted to a person only if needed. These access requirements are reviewed and refreshed/revoked regularly.