We take security seriously, especially when it comes to data you provide to us. Here's how Cuseum keeps it safe.
Data Center Security
Cuseum is a cloud service, and hosted by data centers with the highest level of certifications including ISO 27001 and SOC. For more compliance information, you can visit AWS Security and AWS Compliance.
All application servers are based in the US, but may be accessed internationally via the internet. Cuseum’s CDN serves static assets (e.g. webpage stylesheets, images) from servers across the world, but does not touch sensitive customer data.
Decommissioning and Data Removal
All customer data is stored on AWS services, which follows a strict decommissioning policy outlines on page 8 of their security whitepaper:
"AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process."
For customer-specific data, we will manually remove all identifying data associated with your account from our database on request. Derivate anonymized data will not be removed, as it cannot be linked back to source data. User accounts associated with your organization may also be removed on request. We retain backups for 30 days, after which time the data will be completely unobtainable.
Uptime & Reliability
We constantly monitor our service performance and have automatic notifications to ensure rapid response for service interruptions. All code is audited and peer reviewed before deploying to production servers. We also monitor updates from the security community and immediately update our systems when vulnerabilities are discovered.
New features, performance improvements, and bugfixes are deployed multiple times per week. While agile, our development cycle relies heavily on a strict system for code quality and security. All code is peer reviewed, and requires multiple levels of acceptance on test/staging environments prior to deployment on production. Key highlights for common questions:
Changes are checked for security and errors via extensive unit, integration, and static analysis tests.
Production data is separated from development environments.
We have completed rigorous reviews by internal security teams for multiple public companies and organizations.
Customer data is encrypted when in-transit and at rest. All connections with Cuseum’s services are encrypted and served through SSL/TLS 1.2+. You cannot access the service without using HTTPS. All certificates are verified on both sides with third party authorities.
When at rest, customer data is encrypted using a key management system which logs all access automatically. Additionally, passwords are both hashed and salted using one-way encryption, which protect them even in the unlikely event of unauthorized database access. Application credentials are stored separate from the code base.
We do not store your credit card information on our servers. We currently use Stripe, which is PCI-Compliant and dedicated to safely storing sensitive payment data. You can find a copy of their security practices here.
We do not store any data with regulatory requirements, such as HIPAA or PCI.
For networks that whitelist ongoing connections, you can verify against our DNS (e.g. *.cuseum.com). DNSSEC removes the need for specific IP address range since the DNS record itself is secured and can be validated with third party authorities similar to an SSL certificate. You can confirm using this tool from Verisign.
How to contact us
We know these issues are important to you too. If you have any additional questions that aren't answered above, please email firstname.lastname@example.org and we'll reply as fast as we can.