Security Disclosures

Please report any security concerns regarding the SafetyAmp platform to our team at security@safetyamp.com and it will be escalated immediately to the appropriate staff. Our GPG key is available here.

General Data Protection Regulation

SafetyAmp is GDPR compliant and we handle our customer data with great care, as outlined in our terms of service and privacy. We have vetted all of our subprocesses for compliance as well. GDPR responsibility is ultimately up to our customers controlling their own data but we assist in any way necessary to help and follow strict security practices and policies.

Infrastructure Security

Google Cloud Platform ("GCP") is the infrastructure provider for all SafetyAmp products and platform services. GCP undergoes regular independent audits for a variety of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, EU-U.S. Privacy Shield, HIPAA, and PCI DSS.

Our infrastructure provider employs the best security practices known to the industry, as described in their whitepaper. Their security design includes: 

• Physical Security
  ‍Each data center features access logging, alarms, vehicle barriers, enclosed perimeters, metal detectors, surveillance, security guards, and biometric key cards.
• Hardware Security
  ‍Isolated virtual machines are deployed on a secure and automatically patched boot stack to custom-built, proprietary server and network equipment.
• Network Security
  ‍Internal traffic is automatically enncrypted using AES and Diffie-Hellman key exchange across a private global fiber network.
• Data Security
  ‍Data is encrypted at rest with industry standard ciphers and regularly rotated encryption keys. SSD's are encrypted and destroyed when decommissioned.
• Employee Security
  ‍All Google employees undergo background checks and security training. Less than 1% of employees have physical access to data centers.

Application and Data Security

Authentication
‍Users login to their company's SafetyAmp account by using external authentication providers via Single Sign On or with their work e-mail address and password. The client is issued a short lived, cryptographically signed JWT token held by the application front-end allowing it to make API calls to our platform for a period of time.

Access Control
‍User access is determined by an account administrator. RBAC is implemented within the platform to allow configurable access levels on a per-user basis and control access to the various features of the platform.

Encryption
‍All requests and responses are encrypted in transit with HTTPS transport layer security (TLS). Support for older SSL and TLS protocols are disabled, since they have known security vulnerabilities. Internally, data is encrypted in transit and at rest.

Data Retention
‍Customer data is maintained according to our terms of service for the lifetime of the account and for a short period thereafter.

Software Development Lifecycle
‍We use continuous integration and delivery policies to enable the rapid development, testing, and deployment of our platform. Automated monitoring and alarming is used to quickly alert our team of any issues to ensure an effective and timely response to potential problems.

Data Security & Privacy
‍We All client sessions connecting to SafetyAmp applications and infrastructure utilize end-to-end encryption. Stored data is encrypted in transit and at rest. Client communications require authentication with SafetyAmp with approved credentials via SSO or username/password combination. Our client application makes use of several layers of framework level protection to prevent web application vulnerabilities such as cross-site scripting, cross-site request forgery, and other such vectors. All releases and deployments are subject to security testing and automated procedures are in place to ensure platform security. SafetyAmp does not sell or share your data to third parties.

Security Updates
Our systems are regularly monitored and automatically patched to ensure immediate measures are taken whenever significant security vulnerabilities are discovered.

Third Party Subprocessors
SafetyAmp will sometimes send data to a third party subprocessor to deliver its service to its customers. Subprocessors are utilized for the sending of transactional e-mail messages as defined in the service, as well as for the conversion of documents to PDF. We never share or sell any customer data with third parties for any reason other than to deliver the SafetyAmp service.

Backups and Disaster Recovery
Regular (daily or otherwise) backups are created and maintained for each component of our cloud infrastructure. In the unlikely event of a complete outage, we can fully recover within 24 hours.

Employees
Every employee is required to sign confidentiality agreements and access is only granted to the systems needed to perform the functions of their assigned role. All data on staff computer systems is encrypted and remote management software is deployed to remote lock or wipe a machine if needed.

Disclosure Policy
In the event of a breach or data leak being discovered, we will notify the affected users as soon as is possible. We regularly post on our status page, scheduled or unscheduled maintenance, downtime, or other associated events.