Security & Compliance at Airavana
This page provides an overview of the security measures taken by Airavana to protect source code, vulnerability data, and user data hosted on our platform from unauthorized access. Where relevant, we include links to security guidelines and resources developed by third parties.
Airavana is operating on the Amazon Web Services (AWS) platform. All data is stored encrypted at rest and continuously backed up securely.
The AWS data centers employ a set of advanced physical, network, and software security measures to ensure the integrity and safety of customers’ data. Additionally, Airavana follows all applicable security best practices, such as:
- Secure access: Data transferred between Airavana servers on AWS and customer’s Cloud Apps is secured via SSL (TLS 1.2 or higher) endpoints using the HTTPS protocol.
- Multi-factor authentication: Use of multi-factor authentication is enforced for all critical services used by Airavana thus reducing the risk of unauthorized access.
- Single sign-on and role-based access control across all internal systems.
- Authentication, Authorization, bot detection, rate limiting at API gateway.
Data under scan is only stored for the duration of the scans. After the scans have been completed the data is deleted immediately and securely.
Airavana does not store any sensitive data of customers. All user data across systems can be deleted upon request.
Airavana uses a secure channel using 256-bit SSL (Secure Socket Layers) encryption, the standard for secure Internet connections for all the traffic between desktop clients, mobile devices, and our servers as well. All SSL termination points are hardened to provide the highest levels of security. Airavana uses mTLS for secured communications within the AWS VPC.
Airavana uses SSL/TLS certificates from AWS Certificate Manager to ensure secure and short-lived certificates that are automatically renewed on a quarterly basis.
Wherever possible, Airavana relies on managed services, which take care of all updates and security fixes automatically and in the most timely fashion possible. Airavana has an internal Vulnerability Management Policy to ensure all un-managed systems are kept up-to-date and free of known vulnerabilities.
Airavana uses AWS ECR scan to continuously check for security issues in code, known vulnerabilities in dependencies, and hard-coded secrets. It’s our policy to fix all issues in a PR before the changes can be merged. For critical repositories, a peer-review workflow is required to merge changes.
Incident Response Plan
Airavana has an internal Incident Response Policy and an Incident Response Plan to ensure timely action in the unlikely event of a breach.
Logging and Monitoring
Both application logs and production system logs are sent in real-time to a centralized logging infrastructure. These logs are not directly accessible outside our organization. Logs do not contain sensitive data, or passwords and are retained for 12 months.
We encourage responsible reporting of security vulnerabilities and software bugs. In the case that you found a vulnerability, please report it to firstname.lastname@example.org and abstain from publicly announcing it before it is fixed. Please note that we discourage attempts to gain illegitimate access to another user’s account or data, compromise the reliability and/or integrity of our services, and use of automated tools to find vulnerabilities.
Our community plays an important role in helping us stay bug-free and secure.
Airavana is SOC 2 Type 2 certified, which means that the design and operating effectiveness of our security controls are always under audit. Airavana engages in regular SOC 2 audits that are conducted by an independent, third-party auditing firm. Contact us to request the latest copy of our SOC 2 audit.