Security Policy

Audit and certification:

Vmaker works with independent third party firms to conform to security practices that consistently meet industry best standards. We are an ISO 27001:2013 certified company. Vmaker is willing to share the ISO certification upon reasonable request by clients.

Vmaker uses the payment processing platform Stripe. For more information on Stripe’s security practices, please see https://stripe.com/docs/security/stripe.

Privacy Framework:

Vmaker makes sure its processes and procedures are compliant with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). To know more details please visit our Privacy Policy here.

Vulnerability Testing:

Vmaker follows a structured code development and release process. As part of this process, all code is peer reviewed. Vmaker makes purpose-built code analysis tools available for engineers to deploy against application code. Vmaker also performs continuous post-production tests based on real-time threats. Vmaker conducts rigorous internal continuous testing of its application surface through various types of penetration test exercises. In addition, Vmaker coordinates external 3rd party penetration testing using qualified and certified penetration testers.

Regular penetration testing and security scans:

Vmaker Backend is regularly scanned with industry-standard scanning tools for monitoring and detecting vulnerabilities. In addition, once a year, we perform a thorough and detailed penetration testing using third party penetration testing companies.

Security Training for Vmaker Team:

All members of our team go through a Security awareness training for increased security awareness on a regular basis.

Data Encryption:

Data in transit and at rest is encrypted. We are using AWS KMS (Key Management Service) for all our keys. The data connection to our application is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM). We use the SSL certificate signed by GoDaddy. All symmetric key encryption commands used within the HSA use the Advanced Encryption Standards (AES), in Galois Counter Mode (GCM) using 256- bit keys. The analogous calls to decrypt use the inverse function.Amazon EC2 EBS volume is encrypted using AES- 256-XTS. This requires two 256-bit volume keys, which is like a 512-bit volume key. The volume key is encrypted under a Customer Master Key and stored along with volume metadata.

Training / Awareness:

Vmaker has a formal and documented security awareness training program during the on-boarding process and other training, which happens once every six months.

Incident Response and Reporting System:

Vmaker has a documented and formal incident response plan. Vmaker performs annual testing of its emergency response processes. Our employees are trained in how to communicate incidents internally and our customers are kept informed of incidents that affect their service via e-mail. Vmaker has a well defined and rigorous incident management process for security events. If an incident involves customer data, Vmaker will inform the customer and support investigative efforts via our support team within 72 hours. After a security event is fixed we record a detailed root-cause analysis. This is then assimilated by Vmaker such that we can detect any actions in the future. Vmaker can support properly formed requests for specific tenant data when requested by law enforcement. Individual customers get notified should an incident impact their data.

Build Process Automation:

Vmaker has an established automation process that enables us to seamlessly deploy changes to the Vmaker application and platform. This enables us to address security issues as soon as possible.

Vmaker Infrastructure:

Vmaker operates on Amazon Web Services (“AWS”); All our scoped data and systems are hosted on AWS. So, AWS Infrastructure and its Network Security will be taken care of by AWS as detailed in the AWS SOC2 report. In addition, Vmaker's cloud security team periodically monitors and reviews the scoped environment's network configuration and security.

Vmaker services and data are hosted on Amazon Web Services (AWS) (us-west-2 and us-east-1). Vmaker customer data is stored in multi-tenant datastores. We exercise stringent privacy controls in making sure that one particular data is secluded from other customer data. Vmaker conducts integration tests in place to check our privacy controls. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production. Each Vmaker system used to process customer data is adequately configured and pathed using commercially-reasonable methods according to industry-recognized system-hardening standards and security practice.

Transfer of Data:

Vmaker data is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests. Vmaker uses strong cipher suites and has features such as HSTS and Perfect Forward Secrecy fully enabled. Vmaker also encrypts data at rest using an industry-standard AES-256 encryption algorithm.

Authentication:

Vmaker believes in the Zero Trustnetwork security model, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, it protects those applications and users from advanced threats on the internet. Vmaker has a Zero Trust security model in place. Vmaker offers no additional privileges or corporate resources from being on the Vmaker network. Vmaker has established two-factor authentication (2FA) and strong password policies on GitHub, Google, AWS, and Intercom to ensure access to cloud services are protected.

Permissions and Admin Controls:

Vmaker enables permission levels to be set for any employee with access to Vmaker Scoped Systems. Permissions and access can be set to include app settings, billing, and user data.

Monitored Application:

Vmaker makes sure that every action on the Vmaker network is logged and audited. Production control activities are logged as well.