Documentation

Security Overview

Alooma sees security as a cornerstone of the product and our relationship with our customers. It is the foundation upon which we build trust. Providing a worry-free data handling experience is one of our core values, and part of that is keeping data safe and secure. This article describes Alooma's approach to keeping your data secure.

Data Security, Retention, Access, and Encryption

Alooma collects/stores configuration details only. Actual data is transmitted, and persisted to disk for reliability or customer usability.

Customer data is encrypted in transit and at rest.

Data Security

Customer data is encrypted in transit and at rest. All the networking and system devices require a form of secure transmission, either SSH or SSL. Access to the applications and admin console is enabled only through SSL, to ensure password and user privacy.

Even though Alooma does not store its customers' data, data must be persisted to disk for reliability and durability. The infrastructure components which store data to disk all utilize AWS EBS encryption.

Alooma supports Reverse SSH Tunnel connections.

Data Retention

Customer data is retained for 3 days. Alooma does not persistently store customer data, only meta data including configuration, event field names and statistics are stored. Customer data (e.g. file content, Salesforce records, etc.) stored in the Restream Queue or in memory will never be stored intact or kept on Alooma’s servers beyond a configurable retention period. Events that encounter pipeline errors might be stored for a longer period (that period can be adjusted according to the customer’s request) in the customer’s Restream queue.

Identity and Access Management

Customer passwords for the Alooma product interface are never stored in clear text. Alooma only stores the salted hash of the passwords, with a different salt for each user.

Passwords should contain at least eight characters, with at least one from each of the following categories:

  • English uppercase characters (A through Z)

  • English lowercase characters (a through z)

  • Base 10 digits (0 through 9)

Auditing

Audit log tracking is available. The audit log captures user access activity, including login attempts, data entry/change, etc. The audit log records remote support connection attempts and remote support actions such as application or configuration modifications. The logs are available as reports and can also be exported (csv format).

Personal Cookies

Alooma uses HTTP cookies in several places in the application to provide a better user experience. Alooma does not set third-party cookies as part of the core product offering; except for a use of Google Analytics, which may set a third-party cookie.

DLP

Alooma’s customers can leverage Alooma’s built-in code engine to sanitize event data and generate notifications according to custom defined DLP rules.

Protocols and tests

Security protocols in place

All of our security protocols and technical measures are designed to address our four “security pillars” of Confidentiality, Integrity, Processing Integrity, and Availability — designed to ensure customer data isolation, authentication, and the physical security of all customer data.

Security Audits/Certifications/3rd Party Tests

The Alooma platform is audited by a web application security research organization on a regular basis. The auditing firm conducts design security reviews and comprehensive manual penetration testing on newly implemented functionality across the entire Alooma product line, including the core application and its modules.

Security issues

Incident Response/Security Breach Policy

In the event of a security breach we assess the damage/potential damage, confirm the breach or exploit, and inform all affected customers. Once the vulnerability is fixed, a public message will be included in the release notes.

How do I report a security issue?

security@alooma.com

Search results

    No results found