Enterprise Security and Privacy at AirMason
AirMason engages Vanta
August 1st, 2024
AirMason has engaged Vanta for its security; including SOC2 compliance; scheduled to be completed for Q3 of 2024.
Data Protection
Data at rest
All datastores with customer data, in addition to Google buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption with Google MySQL Cloud.
This means the data is encrypted even before it hits the Google Cloud Database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
Data in transit
AirMason uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by GCP and deployed via Application Load Balancers.
Data compliance
Please view our in-depth Data Processing Addendum to learn more about how protect your data. Customers can also request a call directly with our engineering team through email at hello@airmason.com.
Data at rest
All datastores with customer data, in addition to Google buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption with Google MySQL Cloud.
This means the data is encrypted even before it hits the Google Cloud Database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
Data in transit
AirMason uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by GCP and deployed via Application Load Balancers.
Data compliance
Please view our in-depth Data Processing Addendum to learn more about how protect your data. Customers can also request a call directly with our engineering team through email at hello@airmason.com.
Security
Security Education
AirMason provides comprehensive security training to all employees upon onboarding and annually through educational modules within its security partner, Vanta.
In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.
AirMason's engineering team shares regular threat briefings, phishing attempt examples with employees to inform them of important security and safety-related updates that require special attention or action.
Identity & Access Management
AirMason uses Google Workspaces to secure our identity and access management.
We enforce the use of phishing-resistant authentication factors, using WebAuthn exclusively wherever possible.
AirMason employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Security Education
AirMason provides comprehensive security training to all employees upon onboarding and annually through educational modules within its security partner, Vanta.
In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.
AirMason's engineering team shares regular threat briefings, phishing attempt examples with employees to inform them of important security and safety-related updates that require special attention or action.
Identity & Access Management
AirMason uses Google Workspaces to secure our identity and access management.
We enforce the use of phishing-resistant authentication factors, using WebAuthn exclusively wherever possible.
AirMason employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Continuous Monitoring
Please visit our Status page that actively monitors all our applications on the network
Online
AirMason Marketing Website
Online
AirMason API Server
Online
AirMason Admin Dashboard
Online
AirMason Handbook Editor
Online
AirMason Handbook Viewer
Product Security
Penetration Testing
AirMason engages with 3rd party penetration testing consulting firms in the industry at least annually.
Our current preferred penetration testing partner is Packet Labs.
All areas of the AirMason product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available to all our enterprise clients upon request.
Vulnerability Scanning
AirMason requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC).
• We do both human as well as AI (Momentic) testing of code during pull requests and on an ongoing basis.
• Malicious dependency scanning to prevent the introduction of malware into our software supply chain.
• Container Analysis of running applications.
• Network vulnerability scanning on a period basis.
Penetration Testing
AirMason engages with 3rd party penetration testing consulting firms in the industry at least annually.
Our current preferred penetration testing partner is Packet Labs.
All areas of the AirMason product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available to all our enterprise clients upon request.
Vulnerability Scanning
AirMason requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC).
• We do both human as well as AI (Momentic) testing of code during pull requests and on an ongoing basis.
• Malicious dependency scanning to prevent the introduction of malware into our software supply chain.
• Container Analysis of running applications.
• Network vulnerability scanning on a period basis.
