Security is at the core of what we do. As a security vendor helping our customers secure their application stacks, we care deeply about our own security and compliance.
Secure By Default Policies
Operant’s internal security and risk management is guided by our own product pillar of being secure by default. This high level goal permeates all of the policies and controls we have in place in the product and across the company.
Our secure by default policies are backed by the following principles:
Least privilege: The principle of least privilege is enforced all the way from our development and production infrastructure to the product layer and APIs. This ensures that internal developers, employees, customer users, and processes always follow RBAC/ ABAC rules for access to different resources.
Fine grained Access Controls: Access needed by users and processes is restricted to a minimum using controls such as cloud IAM policies attached to specific roles for internal developers and RBAC roles when accessing the product for end users. Periodic access reviews across all internal cloud and SaaS accounts ensure that access permissions are at the minimum needed level.
Consistent enforcement: Security policies are enforced consistently across all environments of Operant using IaC and Policies as Code where security is baked into our CI/CD processes.
Adaptive Controls: Operant’s security policies are iterative and adapt as users, processes, and the accesses they require change over time.
Data Security and Protection
Encryption
- All customer data is encrypted at rest
- All data including customer data is always encrypted in transit over TLS
- Access keys to all data systems are encrypted as well
Backups and Retention
- Data backups are performed daily and are also encrypted
- Customer data is deleted upon request in a timely manner
Access Controls
- Access to all data systems follows least privilege principles
- Production data is segmented from other development and staging data systems
- Only production systems have customer data
Product Security
Software development
- Secure software development is always one of our code review criteria
- All code including application and IaC code is subject to mandatory code reviews
Vulnerability Scanning
- All code including third party libraries and packages are periodically scanned for vulnerabilities. Automatic patch pull requests are reviewed internally and merged as soon as possible
- All container packages and host OS packages are also periodically scanned for vulnerabilities and patched within security SLAs.
API Security
- Product APIs follow best practices for authentication, authorization, and other security criteria
- Security and compliance posture of third party vendors and APIs used as part of Operant’s product is periodically assessed
Access Controls
- Product and infrastructure access is governed by fine grained RBAC policies
- Dev, Staging, and Production systems are properly segmented using network policy controls
Endpoint Security
- All employee laptops have their hard drives encrypted
- Third party assessments periodically review security configurations of all employee devices
- Multi factor authentication is enforced across all SaaS accounts
- Employee access to all internal and SaaS services is always encrypted
Responsible Disclosure
We take the security of our product and customer data very seriously. Get in touch at security@operant.ai to report any security concerns or vulnerabilities.