Security Overview

This document is intended for any Clear To Go! customer or potential customer who wants to learn more about how Clear To Go! approaches security.

Clear To Go! Security Principles

We believe that the best way to achieve security is to build all systems and processes with security in mind and to leverage all modern tools and standards.

Our high level security principles include:

  • Employees of Clear To Go! only have access to client data on a need-to-know basis.
  • Employees of Clear To Go! are required to use two-factor authentication to access all systems.
  • Our application is securely hosted on Amazon Web Services infrastructure exclusively within the United States using the Heroku platform (a Salesforce company).
  • Minimum password requirements are enforced for all users.
  • We require encrypted connections (https) using TLS 1.2 at all times. Unencrypted access to the system is not supported.
  • Our application is based on a REST API framework. Access to APIs is secured and reviewed periodically.

Infrastructure Security

Heroku

Clear To Go! uses Heroku (a Salesforce company) to assist with infrastructure management, scaling, and security. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world. Heroku is designed to protect from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without customer interaction or service interruption.

Heroku has security standards published here: https://www.heroku.com/policy/security

Our app is hosted in an environment that is compliant with the following certifications:

  • ISO 27001, 27017, 27018
  • HIPAA
  • SOC 1, 2, 3
  • PCI DSS Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

The environment is protected with the following and more:

  • Firewalls
  • DDoS Mitigation
  • Spoofing and Sniffing Protections
  • Porting Scanning
  • Intrusion Detection

Amazon Web Services

Clear To Go! also leverages Amazon Web Services (AWS) for certain infrastructure, and Heroku actually uses AWS infrastructure.

AWS has security standards published here: https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/

Amazon is one of the most trusted hosting providers in the world. Amazon maintains a series of security certifications including:

  • ISO 27001, 27017, 27018
  • PCI DSS Level 1
  • AICPA and SOC
  • HIPAA

AWS environments are continuously audited, with certifications from accreditation bodies across the globe. Amazon provides all server management for Heroku and Clear To Go. Clear To Go! is hosted in the US-East Amazon data center.

Application Security

Clear To Go! runs a modern web application and API backend. Our application is designed with security in mind.

Development Practices

We have robust testing framework in place which includes both automated testing as well as manual testing.

All code is reviewed by at least two engineers before pushing to production, and all deployments are signed off by the CTO.

If code is related to security or deemed to be high risk, at least three engineers must review the code, and additional testing must be completed before deployment.

Automated Code Reviews include:

  • SQL injection
  • Cross-site request forgery
  • Session vulnerabilities
  • Cross site scripting
  • File access
  • Authentication
  • Denial of service

We review and promptly update any third party software used based on recent security updates.

Vulnerability Testing

  • We periodically perform internal penetration testing and are happy to facilitate vulnerability testing by our clients upon request.
  • 3rd party vulnerability testing is performed on a weekly basis. Found vulnerabilities are given the highest development priority and are fixed immediately.

Database Security

  • All databases that contain production data are encrypted both in transit and at rest.
  • We have point in time rollback for production databases with failover copies in multiple availability zones.
  • Database credentials are limited to the CTO and Lead Developers and are always required to use two-step authentication to access this data.
  • We will securely delete any client data from our servers within 30 days upon request.
  • All clients have a right to request a full export of their data within 30 days upon request.

Security Incident Response

Clear To Go! is committed to keeping clients informed of any actual or potential security incidents and to provide support in the unlikely event of any incident.

  • Clear To Go will notify all clients by email within 24 hours of the discovery of any data breach or security incident
  • Clear To Go will assign a dedicated team of engineers within 24 hours to fully investigate the scope and severity of any security incident
  • Clear To Go will assist with the investigation of any security incident using all available monitoring tools and logging
  • Clear To Go will be available for any questions and follow up at support@cleartogo.co
  • Clear To Go will work with all clients to mitigate any security incident as much as possible

Disaster Recovery and Business Continuity

Clear To Go is committed to providing a stable platform and is committed to restoring access to our systems quickly in the unlikely event of any disruption to our infrastructure or our business.

  • Clear To Go only uses industry-leading infrastructure providers and tools, such as Heroku (a Salesforce company) and Amazon Web Services
  • We have contingency plans to launch our databases and application in other regions of our cloud providers, or another cloud provider entirely, if there is a major failure in one
  • Our application is built in a distributed and flexible way so that it does not depend on any specific servers but can be deployed quickly where necessary
  • All user data is backed up at least every 24 hours, and encrypted backups are maintained in multiple regions (within the US)
  • Our recovery time objective (RTO) is 4 hours and our recovery point objective (RPO) is 24 hours