Autocase uses industry standard security practices to ensure all data and users are safe while on our services. Furthermore all personal data is properly stored, and access is only available through secure and authenticated connections to the Autocase platform.
All data is transferred to and from Autocase using SSL over HTTPS. Qualys, and third-party security company provides a service that tests and rates our SSL configurations. The security rating for Autocase’s SSL setup is A.
All Autocase databases are encrypted at rest, that is before moving through networks, so that data is not visible when in use or in transit. Data access is restricted to only core services and administrators. To protect encrypted data over the networks we force SSL connections to prevent man-in-the-middle attacks. All user authentication is validated using one way encryption algorithms. Passwords are always hashed and salted using bcrypt, this makes your password unreadable to any individual and cannot be decrypted from its encrypted state to reveal its true plain text format.
Our databases are multi-available (redundant), fault tolerant, and regularly backed up in order to maintain consistency of data and 100% up time.
All payment related information is stored in either Zoho Subscriptions or Stripe. Like most retail operations, the only payment data stored on our databases are last 4 numbers of a credit card and expiry dates, which are used for verification.
Our servers are operating on Google Cloud Platform, orchestrated through Kubernetes. Servers run by spinning up pre-built images, and they run in non-privileged mode so that there’s a strict limit to how much they can be tampered with. On top of that, the images mean that the whole service gets fully wiped and brought up fresh with every release – further limiting the tampering of the application by malicious use. As a software as a service application our databases, servers and services are multi-available (redundant), and fault tolerant in order to maintain 100% uptime.
Autocase production databases can only connect to other Autocase services and are not visible to the public.
The threat of zero-day exploits is a very real problem for all online services and at Autocase we recognize that. The following are some extra steps we take to mitigate our risks to these unknown threats.
Non Rooted Containers
All of our containers run non-root users, which makes it much more difficult to make unwanted changes to the application such as file addition, deletion, remote code execution, etc.
We scan our software libraries daily and apply security patches when available.
We automate the installation of security patches for our application servers in order to keep our users and data safe.
Autocase does have a point of entry for outside users to access the data through the Autocase API (Application Programming Interface). Access through the API is controlled with token-based authentication, so only users that have been granted an access token from Autocase can access the API. The API is not a direct link to the database, Autocase controls the flow of information with its API functions. Autocase’s API is designed so that only limited data can be accessed and only controlled data is accepted from third party applications through the API.
You can refer to our service providers for more information about certain compliance requirements.
Any security related concerns can be sent to us at firstname.lastname@example.org