Chatway, IncSecurity Statement

 

 

Data Center

Chatway’s services are hosted on Amazon Web Services’ (“AWS”) EC2 platform via the Heroku build and deployment cloud platform. The physical servers are located in AWS’s secure data centers.

From Amazon’s documentation:

AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). We undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.

Further information on the security of AWS EC2 data centers is available directly from Amazon.

 

Where is my data hosted?

All user content is stored within US regions of AWS. Chatway’s production environment is hosted on an AWS EC2 platform. User content can also be found stored in AWS EC2, S3, RDS and ElastiCache.

We are working on offering customers the option of hosting Chatway on a private server, allowing the use of Chatway on a separate infrastructure.

 

Production Environment

Separate and distinct production, staging, and development environments are maintained, and production data is not replicated outside of the production restricted environments.

Only authorized and trained members of Chatway’s Engineering team, directly controlled by the CEO can access the production environment via secured ssh terminal connections using passphrase protected personal RSA certificates. Customer data is not replicated onto employee workstations or mobile devices. Users of Chatway can access data via mobile apps.

 

Network Security

Chatway uses SSL (Secure Sockets Layer) for establishing encrypted links between the servers and the clients for all online communication for all data transfers between its users and its servers thus ensures that all data transmitted between the servers and the client devices remains encrypted.

 

Login and session security

If logging in directly to Chatway using a username or email and password, Chatway requires a minimum of 8 characters. Passwords are stored in a hashed form and will never be sent via email. This means Chatway doesn’t hold the users’ passwords and cannot reconstruct it. Upon account creation and password reset, Chatway will send a link to the email associated with the account that will enable the user to create a new password.

Once logged in Chatway issues a JSON Web Token to represent the user session. JWT is an open, industry standard RFC 7519 method for representing claims securely between two parties.

 

Access Control

All customer data is considered highly sensitive and protected and access is least privilege. Only authorized and trained members of the Chatway team have direct access to production systems and user data. Those who do have direct access to data are only permitted to view it in aggregate or for troubleshooting purposes. User data is only viewed by Chatway employees for troubleshooting purposes when consent has expressly been provided ahead of time by the account owner or team administrator.

 

Third Party Access

Select customer data in some use cases is shared only with third parties service providers acting as our agent and in strict compliance with signed service agreements. Among third party services are Intercom for customer management and support, Mailchimp for emailing, Heap Analytics for behavior analysis, CloudConvert for file processing and conversion.

 

Physical Security

Customer data is never to be replicated outside of the production environment and is never to be replicated onto employee workstations. Because of this, Chatway relies on AWS for physical security compliance. Chatway’s production services are hosted on Amazon Web Services’ (“AWS”) EC2 platform. The physical servers are located in AWS’s secure data centers. Production critical data is never to be stored on physical media outside of the cloud provider’s production environments. From Amazon’s documentation:

AWS has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). AWS undergo annual SOC 1 audits and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.

Further information on the security of AWS EC2 data centers is available directly from Amazon.

 

Encryption In-Transit

Chatway uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, iOS, and Android apps and the Chatway servers. There is no non-TLS option for connecting to Chatway. All connections are made securely over https.

 

 Encryption At –Rest

All uploaded files will be encrypted at rest using industry standard AES encryption and are stored in Amazon’s S3 service. Each file is assigned a unique link with an unguessable, cryptographically strong random component, and are only accessible using a secure HTTPS connection. Uploaded files are encrypted using Amazon S3 server side 256bit AES encryption.

User content is held in Amazon RDS encrypted DB instances which use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts Chatway’s Amazon RDS DB instances. Amazon RDS encrypted DB instances provide an additional layer of data protection by securing user data from unauthorized access to the underlying storage.

The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process.

 

Encryption on Mobile Devices

While users make use of the Chatway iOS and Android mobile application some data may be stored in an unencrypted form on the device.

 

Encryption Keys

Encryption keys for uploaded files, stored in S3, and user content, stored in RDS, are managed by Amazon. The encryption, key management, and decryption process is inspected and verified internally by Amazon on a regular basis as part of their existing audit process.

 

Security incidents

Potential security events are identified and reported to appropriate personnel for resolution. The Chatway team is trained and prepared with an incident plan and follow defined protocols for resolving security events.

“It took us forever to find a way to manage our team’s work. Chatway’s simplicity and ease of use are incredible.”

Jason Goldberg – Enjoying real team collaboration on a daily basis.

Try For Free

No credit card required

“לקח לנו הרבה זמן למצוא דרך לנהל ביעילות את עבודת הצוות. הפשטות וקלות התפעול של צ’אטווי ראויים לשבח.”

אמיר שלום – מנהל צוות בחברת לוגיסטיקה.

התחילו התנסות בחינם

אין צורך בפרטי כרטיס אשראי