Skip to main content
All CollectionsSecurity
Security Information
Security Information

We follow industry standard security management without compromising functionality or ease-of-use.

Kate Bernier avatar
Written by Kate Bernier
Updated over 7 years ago

Overview

Airbo has provided its cloud-based Employee Communication Platform to a wide variety of organizations and industries since 2011. We maintain the trust of our clients, from public school districts to Fortune 500 enterprises, by ensuring we follow industry standard security management without compromising functionality or ease-of-use.

This document describes the following topics related to information security at Airbo:

  • Internal Policies and Procedures

  • System Architecture & Configuration

  • Third Party Services and Tools

Internal Policies and Procedures

Hardware Security

Airbo is a completely cloud-based company. This is true for both our internal systems as well as our client facing systems. We do not maintain our own physical infrastructure (servers, network appliances, etc.) other than company issued laptops.

All Airbo issued laptops are required to be password protected with strong passwords changed at a regular interval. When required, client information is downloaded to a password protected encrypted partition on the employee computer.

Personnel

In addition to conducting thorough reference checks, Airbo also conducts full criminal background check on all employees as part of our hiring process.

All Airbo employees are provided comprehensive training on security standards and policies as well as industry best practices regarding information security.

Access to Technical Systems and Resources

Airbo restricts employee access to sensitive resources and systems based on job function and role. For example, all Airbo developers have access to the private source code repository on www.github.com, but only designated development team members can submit code changes. Similarly, only pre-approved team members can submit code changes to the running production environment.

Similarly, access to the production application and data is provided to designated team members only. All non-privileged developers are restricted to using development and QA environments with dummy or test data.

Access to Non-Technical Business Systems and Resources

Airbo restricts employee access to non-technical information such as client contracts and communications, personnel data, financials, etc. to only those employees whose job duties require them to have access to this information.

Third Party and Vendor Services

As mentioned above Airbo is fully cloud based. We have taken great care to partner with and procure services from industry leading providers of Papas, IaaS and SaaS hosting. Our partners have extensive experience and expertise in information security management and have adopted the most stringent industry standards and certifications such as SSAE16 and ISO 27001.

Airbo works closely with our vendors and partners to ensure that Airbo and its employees follow all best practices and guidelines set forth by our partners and vendors. These include following:

  • Enforcement of secure login and password storage for access to vendor and external interfaces

  • Enforcement of cryptographically strong passwords

  • Use of Role Based Access Control with least privileges granted as a default.

  • Rotation of administrative passwords every 60 Days

  • Prompt application of all vendor recommended software updates and patches related to security

Personnel Security

Incoming Employees

All Airbo employees are screened prior to employment with the following checks:

  • Six years address history.

  • Three years employment history .

  • Education Verification.

  • Criminal background checks.

Airbo employees with authorized access to production and test environments are screened prior to access being granted.

Outgoing Employees

Upon termination of employment, the departing employee's access to all Airbo resources and systems is immediately blocked. We undergo the following procedure:

  • Revoke, disable or remove all system and accounts associated with the employee (including databases, code repository, application).

  • Change administrator passwords in all systems to which the employee had access.

  • Disable employee access to email but keep the account active in order to monitor any security related communications.

Secure Development

All of Airbo's services are developed with stringent OWASP derived industry standard practices.

For regular updates on Common Vulnerabilities and Exposures, the Airbo development team subscribes to industry mailing list such as:

Our development team implements all recommended security patches and mitigations with 24 - 48 hours.

Airbo also subscribes to a 3rd party service (Code Climate: http://www.codeclimate.com/) that scans the code base on every code push to our master repository. The code is evaluated for code quality and potential security vulnerabilities.

Policies and Procedures

Hosting Providers & External Interface Protection

Airbo has partnered with industry leaders in PaaS and IaaS hosting. These organizations have well-established governance programs in place. They adhere to the most stringent security management methodologies and standards such as ISO 27001, AT101, and SSAE16.

Asset Protection And Resilience

Airbo has partnered with some of the industry's leading infrastructure providers who have adopted AT101, SSAE16 and industry practices for the physical protection of information processing assets. ISO 27001 certified policies and processes ensure that all endeavors to protect information assets have been verified and audited by an external independent 3rd party.

Data In Transit Protection

Airbo protects all data in transit with the HTTPS/TLS protocol, which utilizes strong ciphers capable of up to 256 bits.

Data At Rest

Airbo encrypts all customer data in an encrypted database.

Separation Between Customers

Airbo's services are multi-tenanted and follow stringent industry practices. This ensures that no unintended information disclosure is permitted between Airbo customers. The confidentiality, privacy and ownership of information is maintained at all times. All access must be explicitly granted via user interaction within the product.

Secure Customer Management

Airbo uses RBAC architecture to restrict access to resources to the appropriate users. Access is granted on "least privilege" basis. There are four types of roles, each with specific privileges.

  1. Guest User: May view content at a public URL on the airbo.com domain. Airbo does not track who the user is, but does add a cookie to track subsequent sessions.

  2. Ordinary User: May view content and alter own information. May not access name, but not email addresses, of other users.

  3. Client Administrator: Users designated by customer as administrators. May create content, send digest emails to group, add new users, and designate other Ordinary Users to be Client Administrators.

  4. Site Administrator: Airbo staff only. May perform all the same functions as a Client Administrators, switch between any instance, and access additional reporting.

Staff Segregation of Duties is applied to critical operations such as deletion of a client instance, which requires C-level password approval.

Secure Use of Service By Customer

End users are provided with the knowledge of how to best implement and manage the product to ensure content remains accessible and available on a need to know basis which is achieved through the utilization of:

  • Customer Success Managers

  • Extensive online help

  • Live online support portal

Identity and Authentication

All Airbo users must provide valid username and password to access non-public features of the website.

In certain scenarios, authenticated users with a non-expired session can access Airbo via a secure randomly generated authentication token attached to link in an email.

Audit Information and Provision to Customers

Airbo provides end-user and administrative reports that detail usage and access to all content stored in its services.

Appendix

Vendor Certifications & Security Policies

Software Code & Static Analysis & Vulnerability Detection

Did this answer your question?