We are committed to provide a secured service that meets the highest industry standards and certifications.
We provide a reliable and resilient Software-as-a-Service platform that has been designed from ground up based on the field's best practices. The below addresses the network and hardware, infrastructure, software, and information security elements that Salto delivers as part of this platform. Access to system resources is protected through a combination of enforcement points, remote connections, a native operating system security, database management system security, application controls, and intrusion detection monitoring software.
Salto has successfully completed a SOC 2 Type II audit, providing our customers assurance regarding our security controls and the systems used to store and process users’ data, and the confidentiality and privacy of the information processed by these systems.
You can find more information about the SOC certifications here. A copy of Salto’s most recent report is available upon request from your Account Manager.
Salto relies on AWS global infrastructure, including the facilities, network, hardware, and operational software (e.g, host OS, virtualization software, etc.) that support the provisioning and use of basic computing resources and storage. This infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards: FedRAMP, HIPAA, ISO 27001:2013, AICPA SOC 1, SOC 2, SOC 3, PCI DSS, and more. Additional information regarding AWS Cloud security can be found here.
Access Control - Salto’s cloud platform resides in highly secure data centers that utilize state-of-the-art electronic surveillance and multi-factor access control systems. The data centers are staffed around the clock by trained security guards, and access is authorized strictly on a least privileged basis.
End-to-End Network Isolation – Our application's network utilizes AWS's Virtual Private Cloud (VPC) technology, which is designed to be logically separated and thus inaccessible from other cloud customers to prevent data within the cloud from being intercepted.
External & Internal Enforcement Points – Network security is protected through a combination of enforcement points, remote connections, native operating system security, database management system security, and application controls. All servers are protected by restricted security groups, allowing only minimal required communication to and from the servers and the database, based on the principle of Least Privilege. The configuration of AWS Security Groups is restricted to authorized personnel.
Server Hardening – All servers are hardened according to industry best practices.
Intrusion Detection – Monitoring tools are implemented to detect unusual or unauthorized activities, and conditions at ingress and egress points. These tools monitor server and network usage, port scanning activities, application usage and unauthorized intrusion attempts.
Distributed Denial of Service (DDoS) Protection – Security monitoring tools help identify several types of distributed denial of service (DDoS) attacks, including distributed, flooding, and software/logic attacks. When DDoS attacks are identified, the AWS incident response is initiated. AWS provides always-on detection and automatic inline mitigations that minimize application downtime and latency. In case of a DDoS attack, an incident notification is sent to the designated group.
Penetration Tests – The Salto Application is subjected to annual penetration tests in order to determine that customers, groups of individuals, or other entities only have access to their own confidential information. The penetration test is performed by a third-party information security consultancy group. If needed, we can generate and share the annual report of the Penetration Tests’ results. Any critical and high-risk security vulnerabilities are mitigated as soon as possible and after each penetration test.
Access Control - Access to Salto’s services is through an identity-protected web application with full SSL security. Only authorized members of a specific customer have access to the customer’s data. Customer administrators can disable access for users at any time.
Data Encryption - Salto ensures the security and privacy of user information by encrypting data on all servers at rest and in transit. Our systems are designed to ensure data is protected at all times.
- In Transit - All traffic between the customer’s browser and the Salto platform is encrypted through TLS1.3 enabled by the most secure algorithms. We regularly and automatically verify and renew our security certificates and encryption algorithms to keep your data safe
- At Rest - All at-rest sensitive data is encrypted. We use the industry-standard encryption of AES256 at the storage level.
Vulnerability tests are performed to the production environment, infrastructure and network on at least a quarterly basis to detect potential security breaches. Web application architecture and implementation follow OWASP guidelines. Vulnerability scans are performed on all the code using a dedicated tool in order to identify issues. A vulnerability scan is part of the SDLC pipeline.
Salto employs a login system and an authorization mechanism based on industry best practices. A validation process is performed through encrypted identifiers to ensure that only authorized users gain access to the specific data during each user request. The process is validated annually by third-party security consultants.
Identity and Access Management (IAM) - access to the production environment is restricted to authorized personnel based on job function and by using the principle of Least Privilege. Salto uses AWS IAM and SSO services to control user-access privileges and to interact with the cloud platform.
Password Policy - Strong password configuration settings, where applicable, are enabled in all of our backend systems, application, and database. These include: (a) forced password change at defined intervals, (b) a minimum password length and (c) password complexity. As an additional layer of security, multi-factor authentication (MFA) is enforced.
Recertification of Access Permissions - Salto has implemented a recertification process to help ensure that only authorized personnel has access to the systems, environments, and databases.
Configuration and Patch Management - Salto employs centrally managed configuration management systems, including infrastructure-as-code systems, through which predefined configurations are enforced on its servers, as well as the desired patch levels of the various software components.
Security Incident Response Management - Whenever a security incident of a physical or electronic nature is suspected or confirmed, Salto's engineers are instructed to follow appropriate procedures detailed in the Security Incident Response Policy. Customers and legal authorities will be notified as required by privacy regulations.
In order to ensure our employees are aligned with the security practices and aware of their responsibilities, Salto conducts information security awareness campaigns. Our engineering teams keep their security best practices up to date and have online and in-person training about best practices and new threats in the cybersecurity world, as well as in the specific context of the business applications that we interact with.
Salto runs continuous monitoring on all of our outfacing and internal applications within Salto's platform. We provide 24/7 monitoring of all of our assets, including the web servers, API servers and more.
System and Application Log Collection - All system access and customer access are logged and tracked for internal auditing purposes and can be reviewed in case of an incident.
Physical access to the offices is restricted to authorized personnel using ID Chip. The access is available to Salto’s employees only. Visitors at the offices are accompanied by Salto’s employees while on the premises.
Can be found here
If you find a security issue on our platform or website, please let us know about it by sending an immediate email to [email protected]
If you have any further questions please contact [email protected]
Updated 6 months ago