Viable adheres to best practice standards for ingesting, handling and protecting data as well as responding to vulnerabilities or incidents. Our goal is to ensure a high level of security for our customer data as well as our own.
The SOC 2 standard applies to organizations that manage customer data around specific criteria: security, availability, processing integrity, confidentiality, and privacy. A company with a SOC 2 certification has demonstrated that it has developed controls that meet the stated criteria and maintains high standards of information security practices.
There are two types of SOC 2 compliance: type 1 and type 2.
Viable is currently certified for type 1 and working to get type 2 certification. Viable received its type 1 certification on January 10, 2022.
For more information, visit the SOC page at the AICPA website.
PostgreSQL, with AES-256 at rest encryption.
Hasura is what we use to translate data from database into API.
Vercel is the tool we use for deployment automation and application hosting.
A backend search engine is where we store our indexes of ingested data.
NPM is for application dependency management and dependency vulnerability scanning.
Github is where we maintain our code base.
Personally identifiable information (PII) from customer data is not stored in Viable. It is removed before it enters our system.
Access to data, including customer data, is restricted 24 hours a day, 7 days a week to authorized Viable employees only for purposes of conducting their job responsibilities. All Viable employees agree to adhere to confidentiality policies.
Viable does not employ contractors to access, handle, or otherwise manage data. All employee access to customer data is documented.
Secure access to data across applications is enforced across our internal infrastructure, with individual user accounts and SSO where possible.
AES-256 encryption is used to protect data-at-rest. Secure access via JWT and role-based rules are also applied. HTTPS is applied to data in motion. We ensure that applications and browsers interact with Viable only via HTTPS.
Customer data is stored in a shared database with defined access rules limited on a per-customer basis.
The Viable infrastructure team conducts regular monitors and logs access to the Viable platform as part of security procedures.
Data deletion requests will be completed within 30 days of request.
Penetration and vulnerability testing
Viable uses NPM as a software package manager to conduct automated dependency vulnerability scans on deployment.
Viable follows CI/CD application development standards.
Code is reviewed by QA-trained engineers. Staging and production environments are maintained separately.
DDoS mitigation and global CDN are in place via Vercel. Viable’s availability is 99.99%.
Starting in 2021, Viable will engage third-party security experts to conduct annual penetration tests across our infrastructure and product surface.
Security incident response
Viable’s engineering teams will prioritize any security incident, and focus on finding a remediation and deploying it immediately. The team is trained and experienced in security incident response best practices.
Audit logs are maintained for all API activity and stored in Logflare.
All payments made to Viable are managed via payment processing platform Stripe. Payment information is handled directly between clients and Stripe. Payment information is never passed to Viable’s servers.