At Authzed, we understand that when you use our services that you are trusting us with some potentially sensitive data. To build trust in our products and policies, we provide transparency into our security practices. The following lays out the features and policies that secure Authzed services so that customers are informed as to exactly how data is treated and how responsibilities are delegated.
Each Authzed Dedicated customer receives a cluster which is spun up in a separate cloud account within a virtual private cloud (VPC) in a cloud provider’s account. The customer has the choice to choose Amazon Web Services (AWS) or Google Cloud Platform (GCP). The separate VPCs are fully isolated to ensure that each cluster can only be accessed from a customer’s peered network. A limited number of on-call Authzed employees who require such access are granted access to these customer clusters, as specified in the contracts between Authzed and the customer.
All traffic produced and consumed by Authzed services is encrypted using modern TLS standards. The certificates securing traffic are automated by Let’s Encrypt and are published to certificate transparency logs. No customer configuration is required to secure traffic.
All disk-backed data produced by Authzed services is encrypted at rest using server-side encryption provided by cloud providers. This data includes nightly backups which are preserved for at least 7 days. No customer configuration is required to secure this data.
Authzed has a process for identifying and managing security vulnerabilities and threats. Once a security vulnerability has been detected, appropriate personnel are assigned to immediately fix it. Upgrading to the patch is automatically performed for our managed services, and customers are notified after the patch has been applied. For customers running on-premises, Authzed may, depending on the severity of the issue, notify all paid customers and provide them sufficient time to address the issue, including upgrading to a patch, if necessary. This will be followed up with a notification and the updated patch on open channels such as our GitHub, Discord, and on our website. Following this public release, an internal post mortem is conducted to understand the cause of the incident, and corrective action necessary to prevent future similar incidents. Our release notes contain updates on security vulnerabilities and patches, when they occur.
To report an incident, an email to firstname.lastname@example.org should be used. Behave as if you were reporting a crime and include specific details about what you have discovered.
All Authzed services are hosted within cloud providers. All physical security controls are managed by the cloud provider. Authzed is a fully remote company with no physical facility to secure. All employee systems that access Authzed services have device management installed that enforces up-to-date security practices.
Authzed services are designed under the assumption that certain controls will be the responsibility of its customers. The following is a non-exhaustive list of controls that are provided under the customer responsibility that should be properly leveraged to reduce risk and enhance security when using Authzed services: