Last updated 07/05/2022
I want to take a moment to communicate SALT's current and future position on security as it pertains to our application and the information we collect on behalf of our customers and then emphasize our commitment to security.
In short, we highly value security and have provided below a list of how we're working to protect our application, customer data, and staff.
Some technical contacts for customers and partners may have a list of questions, but most will begin by asking if we are SOC2 certified. The answer today is not yet. Like any start-up, we work within our budget to define what is possible and practical for our financial and time investment. Why do I mean by possible and practical?
As a result, we have not yet invested in our pursuit of full SOC2 compliance. Instead, we're doing everything possible to ensure we are as security-minded and protected as possible. Including partnering with a cyber security firm Rigibits to help us assess security risks, build incident response plans, and more.
In the meantime, I'd ask any customer or partner to review the list below and then let me know what questions remain. But, again, our commitment is to be open and honest about where we are and work to answer any concerns you may have.
To back our commitment to security, I'm available as our CEO to discuss these points with any customer or agency considering SALT as a digital solution for their agency. You can grab time on my calendar whenever it is convenient for you.
Jonathan Simmons, CEO
First, a word about the culture here in general: we're a “techy team” trying to bring a new standard of security to the insure-tech startup space.
We've retained Rigibits, an accredited cyber-secuirty firm, to assist us in all things security as we prepare ourselves for SOC2 Compliance.
Having consultants like RigidBits on hand means we can consult security experts about our existing and upcoming infrastructure plans and policies.
Security is a complex matter. SOC 2 compliance, for example, comes with over 254 suggested policy controls that need to be defined. While we're still working to build sustainable policies for each of these, an awareness of the need and impact of well-maintained security protocol and the adverse effects of a breach is imperative.
SALT works with KnowBe4 to put all staff through security awareness training. This provides a deep understanding to each staff member beyond the idea that passwords should be complex.
Internally we deploy Two-Factor authentication across all external vendors and services. Additionally, we utilize 1Password, an incredible cloud-based encrypted password manager, for 20 character+ completely random passwords across all employee logins.
Even with the best intentions, security, certificates, and checks may slip through the cracks, which is where insurance comes into place. As an insurance-focused product, we know the importance of insurance coverage for everything from general Liability to Cyber security and risks. Limits and coverage certificates are available on request.
As mentioned, we're a small team, and to optimize our time, we work to outsource as much of our security infrastructure to more intelligent people as much as possible. For example, our application is hosted with Heroku, a Salesforce company, pioneering simple hosting with a well-documented security policy. This allows us to focus on product development while ensuring our application and customer data are safe and protected.
We employ a multilayered backup strategy to be resilient to hardware failure, regional disasters, and malicious acts. Both point-in-time backups and daily snapshots are available for use in recovery.
All data in transit is sent encrypted over HTTPS with TSL 1.2. Our production databases utilize encryption at rest. We limit brute force attacks with rate limiting, and all passwords are filtered from all our logs and are one-way encrypted using industry-standard bcrypt.
We hire the best developers we can find. Since so many security exploits take advantage of coding errors, part of security is having well-tested, well-reviewed code. At SALT, code changes are reviewed by teammates, ran against an automated testing framework, and in most cases, manually QA'd. When new code runs on our production environments, it has had robust testing and review. Developing this way means that it takes more time to get things done, but it also means that fewer mistakes get by.
All customer data is stored in US-based AWS data centers, which use industry-leading practices in physical security, redundancy, and availability. You can learn more about Amazon's data centers here.
SALT is a remote-first company that employs people in seven cities across four states. Being remote-focused means, we have company devices and hardware in multiple locations. So in the event of a break-in at an employee's property or office, we might lose some expensive monitors or computing hardware. Still, since our application and data servers don't reside in any employee-run buildings or property, they aren't vulnerable to smash-and-grab robberies.
Further, every employee device is password-protected, encrypted, and managed by remote management software. At any time, we can lock or even remotely wipe the device. In customer support, employees may access customer data but only use an encrypted connection and must invoke a logged time-based connection.
SALT is a small company, so thankfully, we can hire some brilliant people who care about its success. As a result, our employee turnover is extremely low (especially in the tech industry). In addition, to protect company data, including customer data, all employees sign a non-disclosure agreement when hired.
If you have questions not addressed on this page, please don't hesitate to ask by emailing us at firstname.lastname@example.org or using the link on this page to book a security discussion with Jonathan.