Please report any security concerns regarding the SafetyAmp platform to our team at security@safetyamp.com and it will be escalated immediately to the appropriate staff. Our GPG key is available here.
Google Cloud Platform ("GCP") is the infrastructure provider for all SafetyAmp products and platform services. GCP undergoes regular independent audits for a variety of standards including ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, EU-U.S. Privacy Shield, HIPAA, and PCI DSS.
Our infrastructure provider employs the best security practices known to the industry, as described in their whitepaper. Their security design includes:
Authentication
Users login to their company's SafetyAmp account by using external authentication providers via Single Sign On or with their work e-mail address and password. The client is issued a short lived, cryptographically signed JWT token held by the application front-end allowing it to make API calls to our platform for a period of time.
Access Control
User access is determined by an account administrator. RBAC is implemented within the platform to allow configurable access levels on a per-user basis and control access to the various features of the platform.
Encryption
All requests and responses are encrypted in transit with HTTPS transport layer security (TLS). Support for older SSL and TLS protocols are disabled, since they have known security vulnerabilities. Internally, data is encrypted in transit and at rest.
Data Retention
Customer data is maintained according to our terms of service for the lifetime of the account and for a short period thereafter.
Software Development Lifecycle
We use continuous integration and delivery policies to enable the rapid development, testing, and deployment of our platform. Automated monitoring and alarming is used to quickly alert our team of any issues to ensure an effective and timely response to potential problems.
Data Security & Privacy
We All client sessions connecting to SafetyAmp applications and infrastructure utilize end-to-end encryption. Stored data is encrypted in transit and at rest. Client communications require authentication with SafetyAmp with approved credentials via SSO or username/password combination. Our client application makes use of several layers of framework level protection to prevent web application vulnerabilities such as cross-site scripting, cross-site request forgery, and other such vectors. All releases and deployments are subject to security testing and automated procedures are in place to ensure platform security. SafetyAmp does not sell or share your data to third parties.
Security Updates
Our systems are regularly monitored and automatically patched to ensure immediate measures are taken whenever significant security vulnerabilities are discovered.
Third Party Subprocessors
SafetyAmp will sometimes send data to a third party subprocessor to deliver its service to its customers. Subprocessors are utilized for the sending of transactional e-mail messages as defined in the service, as well as for the conversion of documents to PDF. We never share or sell any customer data with third parties for any reason other than to deliver the SafetyAmp service.
Backups and Disaster Recovery
Regular (daily or otherwise) backups are created and maintained for each component of our cloud infrastructure. In the unlikely event of a complete outage, we can fully recover within 24 hours.
Employees
Every employee is required to sign confidentiality agreements and access is only granted to the systems needed to perform the functions of their assigned role. All data on staff computer systems is encrypted and remote management software is deployed to remote lock or wipe a machine if needed.
Disclosure Policy
In the event of a breach or data leak being discovered, we will notify the affected users as soon as is possible. We regularly post on our status page, scheduled or unscheduled maintenance, downtime, or other associated events.