Blitzz provides Software as a Service (SaaS) product to millions of users worldwide to solve their business problems. We comply with the security and privacy requirements of the industry. This page covers topics like data security, operational security, and physical security to explain how we offer security to our customers.
TABLE OF CONTENTS
- Organizational security
- Physical security
- Infrastructure security
- Data security
- Identity and Access control
- Operational security
- Incident Management
- Vendor and Third-party supplier management
- Web App: All access to the Blitzz app (e.g. Reports, Agent portal, Admin portal) is secured over TLS (HTTPS), ensuring the information is encrypted. We force HTTPS on all connections, so data in-transit is encrypted with TLS.
- Video Call: Point-to-point NIST-approved AES 128 bit encryption is used for all video & audio communication
- Data: Full volume encryption and 256-bit AES encrypted keys used on data stored at rest
- Servers: Host all servers in the US (unless you request a different data region), in data centers that are SOC 1, SOC 2 and ISO 27001 certified. Our data centers have round-the-clock security, fully redundant power systems, two-factor authentication and physical audit logs.
- PII: Personally identifiable information PII (and PHI - patient health information) is not stored, as a result, this data cannot be stolen from Blitzz servers.
- Monitoring: OSSEC intrusion detection, file integrity monitoring, log monitoring, root check, and process monitoring
- Assessments: Annual risk assessments conducted.
- Auditing: Auditing, logging, backup, and disaster recovery policies and procedures in place to maintain detailed audit logs of all internal systems.
Technical and Physical Security Controls
- All Blitzz data is stored within the highly secure Microsoft Azure datacenter infrastructure with their industry-standard physical controls. The Blitzz support system, help center, and public-facing website are independently stored to ensure uptime and availability across the platform. For a list of all current security accreditations, see the Azure trust portal: https://servicetrust.microsoft.com/.
- Only a select few senior administrators and developers have access to the servers where data is stored and code has to be approved by multiple parts and pass automated tests before deployment. We go to great lengths to ensure the right balance between support and secure infrastructure. Employees are only allowed access to provider-level data on a need-to-know basis in order to fulfill job functions.
- During the provider sign up process, Blitzz will provide immediate feedback on password strength to require strong passwords. See our strong password policy.
- All provider passwords are stored using one-way cryptographic hashing functions so even Blitzz staff and developers can't see or abuse provider passwords. Guest users don't have an account.
- Enterprise users may use their own IdP using SAML integration with Blitzz
Your responsibility to maintain security
To comply with GDPR and privacy laws, you also have some responsibilities while using Blitzz:
- Do not share your login email and password
- Keep your browser, operating system, and software up to date
- Install and utilize antivirus and firewall programs
We have an Information Security Management System (ISMS) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Employee background checks
Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
Dedicated security and privacy teams
We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.
Internal audit and compliance
We have a dedicated compliance team to review procedures and policies in Blitzz to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.
All workstations issued to Blitzz employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked, and monitored by Blitzz' endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
At the workplace (Office)
We control access to our resources (buildings, infrastructure, and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access keys that only allow access strictly specific to the purpose of their entrance into the premises. Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
At Data Centers
Blitzz has partnered with Microsoft Azure for Cloud Infracture to store and process all data. At our Data Centers, MS Azure takes the responsibility for the building, cooling, power, and physical security. Access to the Data Centers is restricted to a small group of authorized personnel. Any other access is raised as a ticket and allowed only after the approval of respective managers. Additional two-factor authentication and biometric authentication are required to enter the premises. Access logs, activity records, and camera footage are available in case an incident occurs. More details: https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Blitzz' production infrastructure.
We monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall. Additionally, these changes are reviewed every three months to update and revise the rules. Our dedicated Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.
All the components of our platform are redundant. We use a distributed grid architecture to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and Blitzz services will still be available to them.
Learn more about disaster recovery here.
We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.
Intrusion detection and prevention
Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, we have our proprietary WAF which operates on both whitelist and blacklist rules.
Secure by design
Every change and a new feature is governed by a change management policy to ensure all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as a screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross-site scripting, and application layer DOS attacks.
Custom Storage for Data isolation
Our framework distributes and maintains the cloud space for our customers by allowing customers to use their own storage endpoints on AWS or Azure (learn more). This ensures that no customer's media data becomes accessible to another customer. This also ensures your data is owned by you, and not by Blitzz. We do not share this data with any third-party.
At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.
In Transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, and our mobile apps. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally for email, our services leverages opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site.
Data retention and disposal
Please refer to this article on data storage and duration based on your plan.
Identity and Access control
Single Sign-On (SSO)
Blizz offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. We also support SAML for single sign-on that makes it possible for customers to integrate their company's identity provider like LDAP, ADFS when they login to Blitzz.
SSO simplifies the login process, ensures compliance, provides effective access control and reporting, and reduces the risk of password fatigue, and hence weak passwords.
MFA provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised. You can configure multi-factor authentication using SSO. Based on your configuration, different modes like biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP can be supported. We can also support Yubikey Hardware Security Key for multi-factor authentication.
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.
Logging and Monitoring
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, manage access control centrally, and ensure availability.
We have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. Furthermore, our security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.
Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.
Disaster recovery and business continuity
Refer to our Disaster recovery and business continuity article for more details.
We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire, and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent the recurrence of similar situations.
We respond to the security or privacy incidents you report to us through email@example.com, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).
We notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. Our Information Security Office is responsible for internally coordinating with the relevant internal teams to ensure that the customers are reported about the incident/breach with any undue delay.
Vendor and Third-party supplier management
We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.
The security of your data is your right and a never-ending mission of Blitzz. We will continue to work hard to keep your data secure like we always have. For any further questions on this topic, please write to us at firstname.lastname@example.org.