At FacilityBot, we understand the importance of safeguarding your facility data. We have implemented many cybersecurity measures, from minimizing data collection to implementing industry-leading practices.
(please also refer to https://facilitybot.co/resources/security-status)
Personal Data Minimization:
- FacilityBot stores only the essential personal data required for functionality, typically just names and messaging platform IDs.
- A detailed privacy policy outlines how your data is handled (available at https://blog.facilitybot.co/privacy-policy/).
Secure Infrastructure and Hosting:
- FacilityBot is hosted on Amazon Web Services (AWS), leveraging their comprehensive security infrastructure and certifications like ISO, CSA Star, and SOC compliance.
- Physical security for our data centers is handled by AWS, adhering to rigorous industry standards (more details available at https://aws.amazon.com/compliance/data-center/controls/).
- We utilize Virtual Private Cloud (VPC) subnets for additional data storage security.
Encryption Throughout:
- Data at rest (on servers) and in transit (between users and servers) is encrypted using industry-standard protocols, safeguarding it from unauthorized access.
Continuous Monitoring and Protection:
- We employ a Web Application Firewall (WAF), Intrusion Detection System (IDS), and regular vulnerability assessments to proactively detect and mitigate potential threats.
- Our systems are continuously monitored for anomalies using AWS Cloudwatch.
- Disaster recovery plans with a Recovery Time Objective (RTO) of 99.9% annual uptime (or less than 8.77 hours downtime per year) and a Recovery Point Objective (RPO) of 2 hours ensure swift response and data recovery in case of emergencies.
Secure Development Practices:
- Our Software Development Lifecycle (SDLC) incorporates rigorous security controls.
- Developers adhere to secure coding practices.
- Code undergoes regular internal and external security scans before deployment.
- All developers undergo mandatory OWASP Top 10 awareness training.
Access Control
- Two-factor authentication strengthens login security.
- Role-based access control ensures data is displayed to the correct users
- Password Unique accounts and passwords are required for all users. Passwords are kept confidential and not shared with multiple users. All passwords must contain alphabets, numbers, special characters, and at least 8 characters.
- Auto log-out occurs after 60 minutes of no activity.
- Multiple failed login attempts will trigger a temporary login ban.
- Single sign-on is supported via OAuth and SAML.
Additional Security Measures:
- AWS Shield provides anti-DDoS protection.
- Server access is restricted to the senior engineering team, with mandatory 2-factor authentication and VPN connections for SSH access.
- FacilityBot’s infrastructure is deployed on hardened OS images with unnecessary ports disabled and default passwords removed.
- Separate testing environments ensure production user data remains secure.
- Logging and monitoring are implemented using Kibana, Elasticsearch, and Logstash for comprehensive transaction and system analysis.
- Our domain, facilitybot.co, is configured with SPF, DKIM, and DMARC to protect against email spoofing.
By taking a comprehensive approach to cybersecurity, FacilityBot provides you with the comfort that your data is protected while you focus on managing your facilities efficiently.