SECURITY STATEMENT

TECHNICAL AND ORGANIZATIONAL MEASURES

At PowerToFly, we are committed to protecting the confidentiality, integrity, and availability of our information systems and our customers’ data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.

Here, we provide an overview of some of the security controls in place to protect your data.

You can reach our security team at security@powertofly.com.

CLOUD SECURITY

Facilities
PowerToFly uses infrastructure from Amazon AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.

Our provider employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction, amongst others. Learn more about Data Center Controls at AWS.

On-Site Security
AWS implements layered physical security controls to ensure on-site security, including vetted security guards, fencing, video monitoring, intrusion detection technology, and more. Learn more about AWS Physical Security.

NETWORK SECURITY

In-house Security Team
PowertoFly has a dedicated security team across the globe to respond to security alerts and events.

Third-Party Penetration Tests
Third-party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation.

Threat Detection
PowerToFly leverages threat detection services within AWS to continuously monitor for malicious and unauthorized activity.

Vulnerability Scanning
We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified, these are tracked until remediation.

DDoS Mitigation
PowerToFly uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize AWS' CDN with built-in DoS protection as well as native tools and application specific mitigation techniques.

Access Control
Access is limited by following the least privilege model required for our staff to carry out their jobs. This is subject to frequent internal audit, technical enforcement, and monitoring to ensure compliance.

ENCRYPTION

In Transit
All public-facing communications with PowerToFly use TLS 1.2 or later. We monitor community testing & research in this area and continue to adopt best practices in terms of Cipher adoption and TLS configuration. We maintain an A+ rating from Qualys/SSL Labs.

At Rest
PowerToFly data is encrypted at rest with industry-standard AES-256 encryption. By default, we encrypt at the storage level.

AVAILABILITY & CONTINUITY

Uptime
PowerToFly is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. Simulated load tests and API response time tests are incorporated into our release and testing cycle.

Disaster Recovery
In the event of a major region outage, PowerToFly has the ability to deploy our application to a new hosting region. Our Disaster Recovery plan ensures the availability of services and ease of recovery in the event of such a disaster. This plan is regularly tested and reviewed for areas of improvement or automation.

DR deployment is managed by the same configuration management and release processes as our production environment, ensuring that all security configurations and controls are applied appropriately.

APPLICATION SECURITY

Quality Assurance
PowerToFly’s Quality Assurance team reviews and tests the codebase. The security team has resources to investigate and recommend remediation of security vulnerabilities within the code.

Environment Segregation
Testing, staging, and production environments are logically separated from one another.

PERSONAL SECURITY

Security Awareness
PowerToFly delivers a robust Security Awareness Training program, which is deliveredwithin 30 days of new hires and annually for all employees.

Information Security Program
PowerToFly has a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors, and acknowledgement is tracked on key policies such as Acceptable Use, Information Security Policy, and our Team Handbook.

Employee Background Checks
All PowerToFly employees undergo a background check prior to employment, which covers 5 years of criminal history where legal and 5 years of employment verification.

Confidentiality Agreements
All employees are required to sign Non-Disclosure and Confidentiality agreements.

Access Controls
Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using a least privilege methodology, and all permissions require documented business need. Exceptions identified during the verification process are remediated. Business need revalidation is frequently performed to determine that access is commensurate with the users' job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.

DATA PRIVACY

GDPR
PowerToFly maintains compliance with the European Union’s General Data Protection Regulation (GDPR). We use the E.U. Commission approved standard contractual clauses for data transfer from the EEA to the United States.

PCI-DSS
As a card not present merchant, PowerToFly outsources our cardholder functions to a PCI-DSS Level 1 service provider. PowerToFly does not store credit card details.

Privacy Policy
PowerToFly’s privacy policy, which describes how we handle data input into PowerToFly, can be found at /about/privacy-policy. For privacy questions or concerns, please contact privacy@powertofly.com.

SOC-2
PowerToFly maintains SOC 2 Type II-level controls and aligns with industry-standard security practices to ensure the confidentiality, integrity, and availability of customer data.

THIRD PARTY SECURITY

Vendor Management
PowerToFly understands the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.

THIRD PARTY SUB PROCESSORS

PowerToFly uses third-party sub-processors to provide core infrastructure and services that support the application. Prior to engaging any third party, PowerToFly evaluates a vendor’s security as per our Vendor Management Policy. PowerToFly uses the following subprocessors:

Infrastructure Subprocessors
PowerToFly uses the following sub-processors to host customer data or provide other infrastructure that helps with the delivery of our services:

Other Subprocessors
PowerToFly uses the following Subprocessors to perform other service functions: