Trust and Security
November 4, 2020
We take your trust, and the security and privacy of your data very seriously, with robust policies, controls, and systems in place to keep your information safe and secure.
We have a data security and privacy team dedicated to ensuring the protection of customer data.
Additionally, all Cultivate employees are required to understand and follow strict internal policies and standards. All employees (i) must pass a background check (ii) must sign appropriate non disclosure agreements (iii) are trained on security topics such as device security, preventing spyware/malware, physical security, and data privacy.
Encryption in transit
All data in transit between users, Cultivate, and email/messaging services is encrypted via TLS 1.x with 2048 bit keys.
All data at rest in Cultivate’s production network is encrypted using 256-bit Advanced Encryption Standard (AES). Message content is further encrypted in our database such that the plaintext never exists on Cultivate database servers at any point in time. Cultivate uses the AWS Key Management Service (KMS) to manage encryption keys. Keys are never stored on disk and retained only in memory while in use. Encryption keys are rotated regularly.
Cultivate divides its systems into separate networks using logically isolated Virtual Private Clouds in Amazon Web Services data centers. Systems supporting testing and development activities are hosted in a separate network from systems supporting Cultivate’s production services. Customer data only exists and is only permitted to exist in Cultivate’s production network. Network access to Cultivate’s production environment is restricted. Only network protocols essential for delivery of Cultivate’s service to its users are open at Cultivate’s perimeter. All network access between production hosts is restricted using firewalls to only allow authorized services to interact in the production network.
The Cultivate development team follows security best practices. All code is version controlled and goes through peer review and continuous integration tests to screen for potential security issues. Changes to the production environment are logged and the development team is notified of each release.
Cultivate users login with their Google or Office 365 accounts using OAuth 2.0, an industry standard for authorizing secure access to external apps. Cultivate does not receive or store user passwords at any time. Users may revoke Cultivate’s access at any time.
Cultivate uses third-party vendors to provide the application services. Vendors are reviewed by the security team and under appropriate contractual provisions to maintain data securely and use data only to provide the service for which Cultivate has engaged such vendor.
Retention and Deletion
The Cultivate environment is backed up daily to a fully redundant data center. All database backups are securely deleted every 7 days.
To the extent possible, Cultivate automates access to customer data and strictly limits viewing by humans. Only authorized employees may access customer data for essential job functions and for a limited amount of time in a secure environment. All requests to access customer data must be reviewed and approved by the executive team and must have a clear technical justification. Cultivate reviews access and security audit logs on a regular basis.
Production servers are hardened, with the minimally required set of services allowed to run. A custom based server image which has been reviewed for security is used to run all production services.
All application components produce audit logs of security critical events which are centrally aggregated and analyzed for potential security incidents. When an incident is detected our engineering team executes our incident response policy.
Cultivate follows industry standard procedures to handle security incidents, including preparing, reporting, identifying, containing, eradicating, recovering, and reviewing incidents. Should an incident result in a data breach, Cultivate will notify customers without undue delay and work with and continuously update customers to control and remediate the incident.
Vulnerability Management and Disclosure
Cultivate uses third party services to run automated vulnerability tests on the production environment. Engineers are always on call to immediately address any issues. We maintain a big bounty program though HackerOne.
Cultivate undergoes independent black and gray box security penetration tests by third-party security firms. The findings are reviewed, prioritized, and tracked to resolution, including third-party verification of resolution.
Data center security
Cultivate’s infrastructure is built on top of Amazon Web Services, and is housed in data centers operated by Amazon. Amazon has strict policies for physical security, including 24-hour video surveillance and strict access restrictions.
All employee devices must meet our security standards. These standards require all computers to have strong passwords, encrypt data on disk, run anti-virus software, and lock automatically when idle. No data is stored on employee computers or servers in the office.
Cultivate maintains a SOC 2 Type II certification and an annual GDPR validation. To request a copy of these reports or our internal security policies please send a request to firstname.lastname@example.org.