At Connect The Dots we do not believe that security requires a unidimensional solution. To provide effective security requires a combination of intelligent policies, designs, sound architecture, training, and — most of all — vigilance. This article outlines each of the information security strategies we employ. These are constantly evolving in response to new threats and discoveries.
Organizational security
Data security starts with the people entrusted with the data. Our internal policies and training require all members of our team to use approved tools designed to maintain the security of data and systems. Two-factor authentication and TLS encryption in transit are required when accessing all Connect The Dots systems used for communications, source code, and cloud connectivity. We also require all employees and contractors to follow IT guidelines including requiring whole disk encryption at rest, strong authentication on all devices, and the use of unique randomly generated passwords.
We employ rigorous practices for provisioning and de-provisioning system access and utilize single-sign-on. Employees are required to use strong unique passwords and we have established mechanisms for password/secret rotation which are executed on a regular schedule and during staffing changes.
In addition to internal audits of our security practices, we engage third-party security organizations to perform penetration testing on our externally-facing systems.
Cloud security
Connect The Dots is built on the Google Cloud Platform (GCP). In addition to providing a hosted application, compute and storage environment, we provision many of the platform's security tools and resources. These systems include Google Secrets Manager for storing and granting system access to secret pieces of data. Google Cloud audit logs provide an accounting of administrative operations, data access, system events, and when access to any system is denied.
Application security
User authentication leverages the single-sign-on capabilities of our data providers (Google Single-Sign-On). Connect The Dots does not use or store additional passwords. Access may be de-provisioned centrally.
The layered architecture of Connect The Dots' SaaS system keeps sensitive data separated from public networks. First, we leverage a Web Application Firewall which provides encryption of data in transit as well as a host of protections against common attacks. These include prevention of SQL injection, cross-site scripting, and denial of service. The Web Application Firewall also provides a single choke point for incoming traffic that can restrict access by region or IP range.
All application services are operated within our own virtual private network which prevents inbound connections directly from the public networks. These networks are further separated to control the flow of traffic, even within the private networks. Within our private network, data communications between servers are encrypted in transit and at rest. Connect The Dots also maintains distinct systems for development, testing, and production environments.
Connect The Dots has elected to not persist sensitive information such as email body content. Our proprietary content and entity extraction algorithms process email messages in memory, extracting less sensitive structured information such as email signatures, without retaining a copy of the content. This also means that our customers may revoke Connect The Dots' access with the knowledge that all email content will be inaccessible to any part of our system.
Connect The Dots leverages third-party client access tokens to obtain new emails, headers, and content. The access tokens are stored separately from all other user and application data. They can only be accessed by services dedicated to processing email content, and are encrypted at rest. Additionally, the client secret granted to Connect The Dots from Google is not available to any application, developers, or administrators that are not involved directly in the email ingestion system.
Security architecture
The Connect The Dots system includes a diverse set of microservices and compute-intensive applications. Our security architecture is designed on the principle of least privilege. This means each piece of the system has access only to the information it needs to perform its function. We separate the systems, network, and data to reduce the amount of data exposed. This strategy limits both the impact of a bad actor and the access employees have to data.
Within the Connect The Dots cloud infrastructure, Connect The Dots' microservices communicate with each other within the virtual private network. Communications within the network are encrypted, and access to all services (third-party or custom-built) requires a strong authentication token which must be verified to grant access.
Software security
The Connect The Dots SaaS is created using a leading technology stack that provides proven design patterns that deliver both scalability and security. Connect The Dots' software development process incorporates code reviews, as well as rigorous manual and automated testing. Additionally, all third-party modules are monitored for security vulnerabilities so we can quickly upgrade systems if vulnerabilities are discovered.
Vigilance
In addition to architectural safeguards, Connect The Dots strives to be vigilant. All access to the Google Cloud platform is audited and audit logs are reviewed periodically to identify anomalous activities. Additionally, audit records alert first- and second-tier systems operators when anomalies are detected.
Connect The Dots consults with third parties to advise on security threats, independently verify the robustness of its systems, and develop a long-term strategy to keep its infrastructure safe.
Business continuity
Connect The Dots' systems are designed to be highly available with no single point of failure within a region. Each of the subsystems is created with redundancies that support automatic failover. To minimize the risk of customer data loss, the core data sources are backed up with regular verifications of the backup and recovery procedures. By utilizing the Google Cloud Platform, Connect The Dots leverages the physical infrastructure that provides physical data center security as well as the infrastructure for redundancy and multi-site backup and recovery capabilities.
Have a question about our security practices, or need our SOC 2 report for a vendor review? Email security@ctd.ai.