Cloud Security & Infrastructure


At Celoxis, keeping your data safe and secure is important to us. We acknowledge your trust in us and do everything possible in respecting and protecting you and your data. Celoxis powers thousands of medium to large scale businesses and enterprises on the cloud. That’s why we employ state-of-the-art technology and strict procedures to keep your information and privacy secure.

  Physical Security


Celoxis servers are hosted in the Amazon Web Services (AWS) Cloud Infrastructure in the United States. AWS provides an advanced set of access, encryption, and logging features. AWS is trusted by world’s top brands and has more than 1 million customers. They have multiple layers of operational and physical security in place to ensure the integrity and safety of your data.

Our AWS Cloud infrastructure consists of multiple, discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities. This enables us to run production applications and databases which are more highly available, fault tolerant and scalable than would be possible from a single data center.

Physical access is controlled at data center building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means. Authorized AWS staff utilize multi-factor authentication mechanisms to access the data centers. Physical access points to server rooms are recorded by Closed Circuit Television Camera (CCTV). AWS provides physical data center access only to approved employees and these requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound.


  Network & System Security


As computing power increases, it is of foremost importance to ensure that our application is not compromised by hackers with sophisticated processing capabilities. Access to Celoxis application is only via the latest 2048-bit industrial grade SSL certificates using the Transport Layer Security (TLS 1.2) protocol so that your data, passwords, cookies and other sensitive information is protected from eavesdropping.

Our applications run on Ubuntu Linux that makes them inherently less vulnerable to viruses or malwares.

In addition to AWS’ intrinsic security audits, we also regularly conduct internal network security audits, scanning and penetration testing. This enables us for quick identification of outdated systems and services. Whenever a vulnerability is publicly reported, prompt actions are taken in order to mitigate any potential risks for our customers — we apply hotfixes and patches promptly upon availability.

Access to our servers is possible only through VPN and SSH keys and is limited only to the co-founders of the company. This allows us to prevent, detect, and promptly remediate impacts of malicious traffic and network attacks.

Request Logging

Every request to the Celoxis application is logged with a timestamp, user identity, and source IP address.

Intrusion detection system

Our intrusion detection system proactively secures our servers against known attacks and brute force. We conduct regular audits and monitor log files to double check any vulnerabilities that may have resulted due to misconfiguration or manual errors. Our hardware, operating systems and applications are regularly upgraded with important security fixes.

24x7x365 alert mechanisms

Our application is constantly monitored to proactively report any abnormal activities. Using internal and external probes, we ensure that any such occurrences are immediately escalated.

Web Server

Our web servers are behind firewall and a Distributed Denial of Service (DDoS) protection software that safeguards our web applications.

Database

Our database is based on multiple levels of security. These include network isolation, encryption at rest using 256 bit keys and encryption of data in transit using SSL. Data in the underlying storage is encrypted, as are the automated backups, snapshots, and replicas.

Data transfer and Backups

Data-at-rest and data-in-transit between hosts and volumes is protected with 256 bit key encryption. All backups are also encrypted.


  Application Security


We deploy strict in-house security requirements and policies during our application development lifecycle. We use libraries only from well-known and trusted sources like Google and Apache. There is an in-depth security review of the architecture. We also conduct regular manual assessment and dynamic scanning of our pre-production environments.

User Authorization and Roles

Each user has a unique username and password that must be entered at the start of each Celoxis session. All user passwords are stored as a one-way salted hash and cannot be accessed by anyone. We also enforce strict user password policies to enhance data security. Celoxis also supports multiple methods of federated authentication, including SAML V2, to conveniently and securely gain access to Celoxis account leveraging corporate credentials. We have role-based in-application security mechanisms ensure that data access and user actions can be limited by each user’s role in each project. These individual user rights are controlled and managed by a Celoxis account administrator. Project managers also have the capability to assign roles in their projects to specific users and grant them permissions as required. Details about in-application security roles and privilege controls in Celoxis are documented in our Help Center. In case a troubleshooting or verifying a user-reported issue requires our support teams to access your account, your prior authorization is required through our ticketing system.

Monitoring User Activities

Celoxis application provides an object-based audit for certain objects that lets you monitor up-to-date account activity information by the user.


  Organizational Security


Our people and processes help make your data safer. All of our employees are trained to think security first. We have in-depth policies and processes around escalation management, knowledge sharing, vulnerabilities reporting, risk management, as well as other day-to-day operations. Protecting your data is as important to us as it is to you. Our security-first culture has enabled us to develop best-in-class practices for managing security and data protection risks for over 17 years.

All employee laptops and workstations are centrally managed. Each machine is configured with full disk encryption, antivirus, and firewall. Updates are regularly applied to all employee machines.

Access Management

Access to our data centers and the data stored in our databases is limited only to the co-founders of the company. There are stringent security policies for employee access, and all accesses are logged and monitored. All our employees are bound by the confidentiality agreement and accessing any customer data is only done on an as-needed basis only.


  Disaster Recovery


We know that downtime isn’t just bothersome, it is costly. Our services storage solutions are designed to deliver secure, scalable, and durable storage for businesses looking to achieve efficiency and scalability within their backup and recovery environment. We have invested significantly in a comprehensive failover and disaster recovery system to protect your data and ensure business continuity.

Web Servers

We continuously monitor the health of the servers from internal and external probes. Unhealthy instances are automatically terminated and a replacement server is automatically brought up. In the event that a web server cannot be automatically brought up, we have the ability to provision new web servers in an alternate data center in less than an hour.

Database

We maintain a synchronous standby replica in a different data centre. The database is synchronously replicated across data centres to a standby replica.

It has a fault-tolerant and self-healing storage that replicates six copies of the data across three data centres. Our database cluster is setup in a highly available configuration which means it transparently recovers from physical storage failures while instance failover typically takes less than 30 seconds.

The database system has the technology to recover from any developer errors. In addition, an encrypted snapshot is taken every 30 minutes and stored in Amazon S3.

Volumes

The service provides always-on detection and automatic inline mitigations that minimize application downtime and latency. Volumes are automatically replicated in its data centre to protect from component failure, offering high availability and durability.

In addition, an encrypted snapshot is taken every 30 minutes and stored in Amazon S3.


  Availability


Celoxis has historical uptime of more than 99.9% for monthly availability. We maintain a high-availability configuration for our individual components. You can view real-time statistics here.

Web Servers

Celoxis web servers are maintained in a high availability configuration. Health of the servers are monitored and unhealthy instances are terminated and a replacement server is automatically brought up.

Database

We maintain a synchronous standby replica in a different data centre. The database is synchronously replicated across data centres to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups.

This enhances availability during planned system maintenance, and help protect your data against database failures and data centre disruptions.

Our database cluster is setup in a highly available configuration which means it transparently recovers from physical storage failures while instance failover typically takes less than 30 seconds.

Volumes

A live standby volume is asynchronously maintained in another data centre to account for the primary data centre physical or network failures.


  Data Privacy


We know customers care deeply about their privacy and data security. Our data centers hosted in AWS are certified under CSA, PCI DSS Level 1, ISO 27001, ISO 27017, ISO 27018, FISMA Moderate, FedRAMP, FFIEC, FERPA, FIPS, HIPAA, SEC Rule 17a-4(f), SOC 1 (formerly referred to as SAS 70 and/or SSAE 16), SOC 2 and SOC 3 compliance standards.

For our European customers, with EU Data Privacy mandates, our data centers are certified under the EU-US Privacy Shield. You can view the certification here.


  Got questions or have any concerns?


Please contact our security team 24x7 at [js em address]