Security

Authentication and Access Management

End users may log in to Eppo Data via the “Sign-in with Google” OpenID service. These services will authenticate an individual’s identity and may provide the option to share certain personally identifying information with Eppo Data, such as your name and email address to pre-populate our sign up form. All requests to the Eppo Data API must be authenticated.

Protection of Customer Data

Data submitted to the Eppo Data service by authorized users is considered confidential. This data is protected in transit across public networks and encrypted at rest. Customer Data is not authorized to exit the Eppo Data production service environment, except in limited circumstances such as in support of a customer request.

All data transmitted between Eppo Data and Eppo Data users is protected using Transport Layer Security (TLS) and HTTP Strict Transport Security (HSTS). If encrypted communication is interrupted the Eppo Data application is inaccessible.

Eppo Data maintains a single data center in the United States. Customer submitted service data is not transferred or shared between data centers. Eppo Data utilizes encryption at various points to protect Customer Data and Eppo Data secrets, including encryption at rest (e.g. AES-256), asymmetric encryption (e.g. PGP) for system backups, KMS-based protections for the protection of secrets (passwords, access tokens, API keys, etc.), and GPG encryption​.Access to Customer Data is limited to functions with a business requirement to do so. Eppo Data has implemented multiple layers of access controls for administrative roles and privileges. Access to environments that contain Customer Data requires a series of authentication and authorization controls, including Multi-Factor Authentication (MFA). Eppo Data enforces the principles of least privilege and need-to-know for access to Customer Data, and access to those environments is monitored and logged for security purposes. Eppo Data has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms, and enforces full-disk encryption and unique credentials for workstations.

Eppo Data monitors critical infrastructure for security related events by using a custom implementation of open source and commercial technologies. Activity data such as API calls and operating system level calls are logged to a central point where the information is passed through a series of custom rules designed to identify malicious or unapproved behavior. The results of these rules are fed into an orchestration platform that triggers automated actions, which may include directly alerting the security team or triggering additional authentication requirements.

‍

Laws and Regulations

Eppo Data solution is compliant with various data protection laws and regulations applicable to the services we provide.

Vendor Management

Eppo Data leverages a number of third party applications and services in support of the delivery of our products to our customers. The Eppo Data Security Team recognizes that the company’s information assets and vendor dependencies are critical to our continuing operations and delivery of services. As such, Eppo Data’s Security and Privacy teams have established a vendor management program that sets forth the requirements to be established and agreed upon when Eppo Data engages with third parties or external vendors. These engagements are designed to assess the technical, physical, and administrative controls in place and to ensure they are commensurate with the expectations of Eppo Data and its customers.

Disclosure

If you believe you’ve discovered a bug in Eppo Data security, please get in touch at security@geteppo.com and we will get back to you within 24 hours, and usually earlier. We request that you not publicly disclose the issue until we have had a chance to address it.