Security is our top priority
We understand the importance of protecting your data and are committed to ensuring confidentiality and privacy.
Data is encrypted, storage is secure, and access is strictly controlled.
The following guide highlights Anduin’s industry-standard security features.
Anduin’s infrastructure and applications are architected to achieve a high level of business continuity, which includes disaster recovery (DR) and high availability (HA).
Our DR solutions provide fully automated failover to a backup system so that our services can continue to operate without disruption. Customers’ data are continuously replicated across different availability zones on Amazon AWS cloud. In addition, all databases and document storage systems are backed up throughout the day.
Our HA solutions aim at offering 99.9% uptime. We employ a multi-layered approach application resilience to user errors and infrastructure failures, data resilience to corruption, and infrastructure resilience to environmental failures (e.g. machine down, network disconnection, etc.).
Anduin enforces a strong authentication flow from user logins to every single API request: our servers verify if users are who they claim to be.
We offer industry standards to achieve this goal:
- 2-Factor authentication
- Strong password policy by default
- All password are hashed using PBKDF2 algorithm
- One-Time Password (OTP): secure random OTP and TOTP based on RFC 6238
- Idle authenticated sessions are timed out
- Standard authentication protocols for integration with Identity Providers: OpenId Connect (OIDC), OAuth 2.0, and SAML 2.0
- JWT tokens to protect authentication data in transit
- Encryption to protect authentication data at rest.
As a multi-tenant platform, our system enforces a strict authorization flow to all data access points: users are restricted from accessing data when they don’t have the rights to do so.
- Role-based access control
Access rights are determined by a well-defined system of roles, for example, deal owner, deal participant, data room owner, and data room participant. This approach balances offering users flexible control of access rights to their data assets, while allowing strong enforcement of data accessing.
- Pre-authorized access tokens for no login views
Our platform utilizes pre-authorized access tokens for secure and predefined actions, e.g., to e-sign, complete a task, or view a report, without logging in.
All data transmitted to the Anduin system from clients is encrypted using HTTPS and TLS version 1.2 and above. Our user data and critical infrastructure configurations are encrypted using AES-256, block-level storage encryption. All encryption keys are protected by an industry-grade secret vault. The vault is protected by a two-man integrity policy.
Protection of Customer Data
Enterprise network security
Anduin servers are protected behind firewalls to control both internal and external traffic. Our systems use multiple virtual networks for isolation and protection between different modules. We conduct regular network penetration testing to proactively detect potential threats.
Internal data access
Anduin may access customer data only for the purpose of providing a service, preventing or addressing technical problems, at a customer’s request in connection with customer support matters, or as may be required by law.
At Anduin we maintain the principle of least privilege for all customer data. Employees are given access only to data that is a minimum requirement to perform those operations. Where necessary, personal data are pseudonymized to protect data confidentiality.
Data access controls (such as separation of duties) are designed to prevent personnel from mishandling data.
These access controls are continually reviewed and updated, as necessary.
Monitoring, alert, and response
At Anduin, we maintain up-to-date operating systems across our network. Verified security patches are deployed as they’re released. We continuously monitor for both malicious and accidental incidents.
Anduin uses industry-standard encryption for SMTP communication channels through TLS. We enforce the legitimacy of the TLS certificates for email exchange.
All actions in the system are logged in an immutable audit trail accessible to system administrators. Anduin provides a suite of tools to search, filter, and report on these actions.
Secure Code Practice
Anduin develops its product with a continuous application deployment model. In this model, all code must be reviewed by qualified Anduin engineers before it is merged into the main-line branch and deployed to production. Additionally, automated tools are used to continuously analyze the code-base for vulnerable dependencies, unsafe coding practices, and inadvertent inclusions of sensitive data before being deployed to production.
- Anduin is compliant with the following:
- SOC 2 Type II
- The Uniform Electronic Transactions Act
- The U.S. ESIGN Act of 2000
- eiDAS Advanced Electronic Signature (EU Regulation 910/2014 - Advanced Level)
- Write Once Read Many Archiving (WORM)
- EU General Data Protection Regulation (GDPR) compliance
- California Consumer Privacy Act (CCPA) compliance
For more information, email: firstname.lastname@example.org
Anduin would like to extend special thanks to all personnel that have contributed to the security of our platform. See our Hall of Fame