Our Commitment to Security
At Posture, we believe in security, privacy, transparency, and trust. You own your data, but you entrust us to protect it. As a result, we are transparent about the technical details, infrastructure, and architecture used for our platform. Our goal is to make you feel comfortable when you use our products. We know that security, reliability, confidentiality, and integrity are paramount; that’s why we’d like to tell you a bit about how we ensure it.
Posture has designed our system to treat all customer data as vital. Our data protection includes, but is not limited to:
Posture uses Amazon Web Services (AWS) as our hosting provider. AWS is the gold standard for thousands of companies worldwide, and we use AWS’ best-in-class infrastructure to ensure your data is available and secure.
Posture’s platform was built separating the application into three layers: web, application, data. Each tier runs on its own infrastructure, can be developed simultaneously, and can also be updated or scaled as needed without impacting the other tiers.
All customer data is encrypted using industry-accepted tools, standards, and best practices for the services we leverage. Data transferred encryption is based on the TLS 1.2 protocol.
AWS data centers are secure by design and have constant monitoring and logging. AWS provides physical data center access only to approved employees.
A chain is only as strong as the weakest link. That’s why Posture continuously reviews the security of the Posture platform, applications, and applied best practices.
Posture uses its own internal certified penetration and vulnerability assessment/testing teams. Findings from each assessment are reviewed with the assessors, then risk ranked and assigned to the responsible team. Vulnerabilities are treated with the highest priority at Posture and are dealt with in a timely manner.
We undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Our security assessments cover all areas of our platform, including testing for OWASP Top 10 web application vulnerabilities and customer application isolation.
System configuration and consistency are maintained via standard, up-to-date images, configuration management software, and updating and replacing deployments. Systems are deployed using up-to-date images updated before deployment with changes in configuration and security updates.
Posture is a chief user of our own platform, and we hold ourselves to the highest of standards.
Posture staff, as part of normal operations, do not access or interact with customer data or applications. Posture may be asked to interact with customer data or applications for support purposes or where required by law at the customer’s request. Customer data is controlled by access, and all access by Posture staff is accompanied by customer approval or government mandate, reason for access, staff actions, and start/end times for support.
All Posture employees undergo pre-employment checks and agree to company policies, including security policies and policies for acceptable use.
Posture employees are required to attend security training and receive additional monthly security training.
Amazon undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under: ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (previously SAS 70 Type II), PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX).
We use the PCI compliant payment processor Stripe for encrypting and processing credit card payments. Posture’s infrastructure provider is PCI Level 1 compliant.
Posture uses Amazon S3 to deploy the Posture web platform. The Amazon S3 platform automatically backs up as part of the deployment process on secure, access controlled, and redundant storage. We use these backups to deploy out applications across our platform and to automatically bring your application back online in the event of an outage.
Port scanning is prohibited, and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped, and access is blocked.
Firewalls are used to restrict access to systems from external networks and between systems internally. By default, all access is denied and only ports and protocols explicitly permitted on the basis of business requirements.
Our infrastructure provider takes advantage of DDoS mitigation techniques, including TCP Syn cookies and connection rate limiting, along with maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure, including the hypervisor, which will not deliver traffic to an interface to which it is not addressed. Posture uses Amazon AWS, which applies application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.