Security
The privacy and security of your data is our top priority.
Overview
With digital adoption and transformation happening all around us, and with the increasing pace of data consumption and the need for data availability on the go, it is essential that you have access to your data in an organized manner. Needl.ai provides its users with:
(a)
secure cloud data storage.
(b)
a personal search engine
(c)
a security and privacy-by-design architecture
While data accessibility on the go is a primary requirement for many users, data security and privacy by design are critical needs, especially for working professionals.
At the core of the
Needl.ai solution is:
•
Our security and privacy-by-design architecture.
•
A comprehensive security program.
•
A multilayered approach to security.
Needl.ai is a solution whose architecture is designed with the primary goal of making organized data available to users while ensuring data security and privacy by design.
This whitepaper describes
Needl.ai's product security features, operational security measures, security and privacy-by-design architecture, independent certifications, and regulatory compliance measures in a straightforward manner to help
Needl.ai provide you with a reliable data solution.
Certification
ISO/IEC 27001:2013 Certification
Needl.ai is accredited with ISO/IEC 27001:2013 certification. This certification covers the Information Security Management System (ISMS) of Needl.ai, which protects information security in its business operations, involving the collation, analysis, and presentation of all data from public and private sources into a personal vault specified by the client on the cloud, designed, developed, and administered by Needl.ai.
SOC 2, Type 2 Certification
This certification provides reasonable assurance that Needl.ai's service commitments and system requirements are achieved based on the trust service criteria relevant to:
as outlined in TSP section 100, 2017 Trust Service Criteria for Security, Availability, Confidentiality, Privacy, and Processing Integrity (AICPA, Trust Service Criteria).
Needl.ai infrastructure
Physical access control and logical access control
Needl.ai's infrastructure can be broadly identified as physical access and logical access. While physical access to Needl.ai resources is managed through AWS (a sub-service organization), logical access is managed by Needl.ai.
•
Physical Access: Managed by AWS, ensuring secure and controlled access to physical resources.
•
Logical Access: Managed by Needl.ai, designed, implemented, and operated to achieve its business objectives.
Needl.ai uses AWS for IaaS, PaaS, and DaaS. The Needl.ai application, as well as your data, is securely hosted behind AWS's robust infrastructure.
Access Management
•
Role-Based Security Architecture: Needl.ai uses a role-based security architecture, requiring users to be identified and authenticated before accessing system resources.
•
Least Privileges Principle: Needl.ai adheres to the "least privileges principle," granting the minimum level of access required for each role.
Resources are protected through the use of native system security and add-on software products that:
•
Identify and authenticate users.
•
Validate access requests against the users’ authorized roles in access control lists.
All resources are managed in the asset inventory system, and each asset is assigned an owner. Owners are responsible for approving access to the resource and performing periodic reviews of access by role.
Infrastructure Configuration
When configuring the physical infrastructure with AWS, Needl.ai has implemented three layers of architecture:
Each of these layers comprises technical configurations that support the Needl.ai application, data security, and data privacy design.
Public Network Layer
This is the outer, internet-facing layer of AWS infrastructure. This network layer is built with the following resources:
•
AWS API Gateway: Permits AWS resources to interact with the internet.
•
WS Cognito: Manages user identification and login authentication, allowing access only to data authorized for each user.
•
AWS CloudFront: Enables fast content delivery to users without lag.
•
AWS ECR: Replicates the Needl.ai application across multiple regions to reduce download time. ECR stores the Needl.ai application within containers, deployed through AWS Fargate.
Application Layer
This layer hosts the Needl.ai application and security features required to provide Needl.ai services. This network layer is built with the following resources:
•
AWS Security Groups: Acts as a virtual firewall for each instance, controlling inbound and outbound traffic at the instance level.
•
AWS Fargate: Allocates the right amount of computing infrastructure to run Needl.ai services, ensuring required resources are always available.
•
AWS Lambda: Deploys the Needl.ai application through AWS Lambda.
•
AWS VPC: Enables network isolation. User data is stored in VPC (virtual private cloud), with the private subnet.
Data Layer
The Data Layer hosts user data, stored using server-side encryption (encryption at rest). This layer is built with the following resources:
•
AWS RDS: Stores user account information.
•
AWS Elastic Search: Indexes user data, enabling quick searches.
•
AWS S3: Stores user data, information, files, and folders.
Encryption
•
External Communications: All external communications with users are authenticated based on session login. Data in transit is encrypted using TLS1.3 protocols.
•
SSL/TLS Encryption: Communication between the user and the Needl.ai hosted service is encrypted via SSL/TLS.
•
Encryption Standard: Data uploaded by users to the Needl.ai application is encrypted at rest using 256-bit Advanced Encryption Standard (AES), with server-side encryption.
•
Data Storage: User data is stored in VPC (virtual private cloud), with a private subnet.
•
Secure Authentication: Secure authentication and encryption algorithms are used for users connecting to Needl.ai VPC.
•
Data Redundancy: User data is stored across multiple availability zones through the AWS cloud.
The encryption keys are maintained in the AWS Key Management Service.
Access management
Secure access management for users is ensured through AWS Cognito. Users are required to use two-factor authentication to access the Needl.ai application. There is a formally documented Information Classification and Handling Policy that details the classification of data based on its criticality and sensitivity.
Data Centre & managed service providers
The Needl.ai application and user data are hosted with Amazon Web Services (AWS), a third-party sub-service organization with data centers located in different regions of the United States. While AWS is responsible for physical access to Needl.ai resources, Needl.ai is responsible for logical access to the resources.
•
AWS SOC Reports & Security Controls: AWS (sub-service organization data center) SOC reports and/or vendor security questionnaires and contractual obligations are reviewed annually for security controls.
•
AWS Responsibilities: AWS is responsible for the physical, environmental, and operational security controls at the boundaries of Needl.ai infrastructure.
Needl.ai is responsible for the logical access, network, application, and data security of the Needl.ai application and user data hosted on AWS.
•
Network Security: AWS is responsible for the physical and network security of the Needl.ai application provided through AWS. AWS protects the inbound and outbound connections through its firewall, which is configured in a default deny-all mode.
•
Access Restrictions: Needl.ai restricts access to the environment to a limited number of IP addresses and employees.
Incident response
Needl.ai has incident response policies and procedures in place to guide personnel in reporting and responding to information technology incidents. Procedures exist to:
•
Identify, report, and act upon system security breaches and other incidents.
•
Promptly respond to any alerts related to potential adverse incidents.
•
Understand and analyze the severity of the incident.
•
Execute incident mitigation measures (if required).
•
Communicate with internal and external stakeholders, including notifying affected users and complying with applicable laws and regulations.
•
Keep records and maintain an audit trail for adverse incidents.
The incident response policies and processes are audited as part of our SOC 2, ISO/IEC 27001 certification, and applicable standards.
Business continuity
Needl.ai has established a business continuity process to address how to resume or continue providing services to its users. This process guides Needl.ai as a firm and its employees on how to restore business-critical processes during any adverse event. Business continuity and disaster recovery processes are tested annually.
The processes and policies adopted by Needl.ai for business continuity and disaster recovery are consistent with the guidelines issued under ISO/IEC 27001:2013 and SOC 2, Type 1 certification.
Internal Security Practices
Needl.ai has established an information security management framework describing the process, purpose, principles, and basic rules for how Needl.ai maintains data security and privacy by design. Needl.ai regularly:
•
Reviews and updates its policies and processes
•
Provides security training
•
Conducts network security testing
•
Performs internal and external risk assessments
•
Policy Reviews: The security policies and processes are reviewed annually.
•
Employee Training: Employees participate in mandatory security training and ongoing security awareness education.
•
Employee Access Management: Employees undergo a background check, sign a security policy acknowledgment and non-disclosure agreement, and receive security training. After completing this process, employees are granted physical and logical access to the Firm's resources. All employees undergo annual security training.
•
Access Control: Access to the Firm's resources is granted based on role configuration and is subject to a multi-factor access management framework. Needl.ai's architecture maintains a complete audit trail of access management and activities.
Vulnerability Management
Needl.ai has implemented a comprehensive vulnerability management program:
•
Annual Vulnerability Assessment:
○
Focuses on defining, identifying, classifying, and prioritizing vulnerabilities.
○
Performed annually for in-scope products.
•
Penetration Testing (PT):
○
Conducted annually by a third party for in-scope products.
○
Results are communicated to the respective product teams for remediation.
○
Vulnerabilities are tracked to closure.
•
Categorization and Communication:
○
Vulnerabilities identified during security testing are categorized based on severity.
○
Communicated to respective teams for initiating corrective actions.
Change Management
Needl.ai has a defined process for Secure Development Policy. On an annual basis, the policy is reviewed and approved by the Head of Engineering. Needl.ai has defined procedures for change initiation, analyzing, testing, approving, and implementing application and infrastructure-related changes.
•
Annual Policy Review:
○
The Secure Development Policy is reviewed and approved annually by the Head of Engineering.
•
Change Tracking via GitHub:
○
A change ticket is raised within GitHub for every new feature, patch, or bug, tracking the status from development to deployment.
•
Security and QA Testing:
○
All changes must undergo security and functional testing before being migrated to the production environment.
•
Approval and Deployment:
○
Product Leads/Managers review and approve the results in GitHub, with deployment managed via CircleCI by the Engineering Lead.
Infrastructure and application changes are required to be recorded in GitHub and approved before performing the change to the production environment.
Privacy
We hold the privacy of your data as a first principle. We are a subscription-based business and we do not leak or sell your data to generate revenue. Needl.ai is the product, not you!
•
Defined Privacy Policy:
○
Needl.ai has a clearly defined Privacy Policy outlining how end-user data is collected, processed, and stored.
•
Transparent Privacy Practices:
○
The policy includes clear communication to users about privacy practices, with prompt updates when changes occur.
•
Data Retention and Deletion:
○
Service data is retained as per the Terms of Service and deleted thereafter. Production logs are kept for 14 days, and AWS admin activity logs for 3 months.
•
Account Deletion:
○
Users can delete their Needl.ai account at any time, leading to the complete purging of all user data with no retention.
•
Access Restrictions and Procedures:
○
Access restrictions ensure only respective end-users have access to their data. Formal procedures guide customer service employees in confirming customer identity and handling data access requests.