We’re conscious that as a privacy tech company the standards for us are exceptionally high, and we strive to both exceed those standards and to be as transparent as possible about our practices so that our customers can make informed decisions about how to manage risk with respect to us. Below are some parts of our privacy and security policies that we want to surface, and we encourage you to reach out to security@phaselab.co with any additional questions or concerns.

Data ownership remains with you

Customer data that we analyze is wholly owned by the customer and never used for any purpose other than providing service to you.

Separation of all customer data at all times

Our application is constructed as a completely single tenant application, from login through API servers through backend systems and databases. This means that users, data, and logs are never mixed across customers, so data cannot be accidentally shared between customers. A breach of one tenant would be isolated from any other tenants.

Secure cloud hosting environment

Our product is hosted in an Amazon Web Services VPC. AWS is ISO27001:2013 certified and an industry leader in data security.

Strong data minimization and the shortest possible data retention policies

At Phaselab we never store raw customer data that we scan — data is never written to disk, including in logs. We set minimal data retention policies and enforce them programmatically.

Encryption in transit and at rest

Our APIs and web applications only support encrypted traffic via modern protocols. Customer data is stored under industry standard encryption at rest using AWS KMS, and encryption keys are rotated annually.

Change management practices

All application, infrastructure, and network changes are controlled by code and technical measures prevent any individual from making changes without those changes being tied to a ticket and without peer review, including security review.

Role-based access control (RBAC)

Our product supports role-based access control. Internally we enforce role-based access control for all systems, and administrator accounts are restricted and only used when needed.

Automated monitoring

We utilize a variety of technologies for automatically monitoring the performance and security of our application and maintain audit logs for all critical systems for at least 6 months.

Login security

We currently only support login to our product via your organization’s identity provider, so that no vector for password-based compromises exists.