Alooma sees security as a cornerstone of the product and our relationship with our customers. It is the foundation upon which we build trust. Providing a worry-free data handling experience is one of our core values, and part of that is keeping data safe and secure. This article describes Alooma's approach to keeping your data secure.
Alooma collects/stores configuration details only. Actual data is transmitted, and persisted to disk for reliability or customer usability.
Customer data is encrypted in transit and at rest.
Customer data is encrypted in transit and at rest. All the networking and system devices require a form of secure transmission, either SSH or SSL. Access to the applications and admin console is enabled only through SSL, to ensure password and user privacy.
Even though Alooma does not store its customers' data, data must be persisted to disk for reliability and durability. The infrastructure components which store data to disk all utilize AWS EBS encryption.
Alooma supports Reverse SSH Tunnel connections.
Customer data is retained for 3 days. Alooma does not persistently store customer data, only meta data including conﬁguration, event ﬁeld names and statistics are stored. Customer data (e.g. ﬁle content, Salesforce records, etc.) stored in the Restream Queue or in memory will never be stored intact or kept on Alooma’s servers beyond a conﬁgurable retention period. Events that encounter pipeline errors might be stored for a longer period (that period can be adjusted according to the customer’s request) in the customer’s Restream queue.
Identity and Access Management
Customer passwords for the Alooma product interface are never stored in clear text. Alooma only stores the salted hash of the passwords, with a different salt for each user.
Passwords should contain at least eight characters, with at least one from each of the following categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Audit log tracking is available. The audit log captures user access activity, including login attempts, data entry/change, etc. The audit log records remote support connection attempts and remote support actions such as application or configuration modifications. The logs are available as reports and can also be exported (csv format).
Alooma uses HTTP cookies in several places in the application to provide a better user experience. Alooma does not set third-party cookies as part of the core product offering; except for a use of Google Analytics, which may set a third-party cookie.
Alooma’s customers can leverage Alooma’s built-in code engine to sanitize event data and generate notiﬁcations according to custom deﬁned DLP rules.
Security protocols in place
All of our security protocols and technical measures are designed to address our four “security pillars” of Conﬁdentiality, Integrity, Processing Integrity, and Availability — designed to ensure customer data isolation, authentication, and the physical security of all customer data.
Security Audits/Certifications/3rd Party Tests
The Alooma platform is audited by a web application security research organization on a regular basis. The auditing ﬁrm conducts design security reviews and comprehensive manual penetration testing on newly implemented functionality across the entire Alooma product line, including the core application and its modules.
Incident Response/Security Breach Policy
In the event of a security breach we assess the damage/potential damage, confirm the breach or exploit, and inform all affected customers. Once the vulnerability is fixed, a public message will be included in the release notes.
How do I report a security issue?