Obie Security

Architecture

Security is always front of mind

Obie's cloud security architecture is designed with consideration of a broad range of industry standards and frameworks. Although we haven't gotten official certifications, we know that one day we will, and we are already prepared to pass with flying colors.

Network

Security controls at each layer of the stack

We implement controls at each layer of the stack, dividing our infrastructure by zones, environments, and services.

Zone restrictions include limiting office and platform network traffic. Environment separation limits production and development connectivity. Services must be explicitly authorized to communicate with other services through an authentication whitelist.

We control access to our sensitive networks through the use of virtual private cloud (VPC) routing, firewall rules, and software defined networking. All connectivity is encrypted by default.

Staff connectivity requires multi-factor authentication. Access to customer data requires explicit review and approval.

We've also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.

Application

We ensure we're designing in the right controls for cloud threats

During the product planning and design phase, we take time to understand the specific security risks associated with a product or feature. Although we don't yet use a specific threat modeling framework, brainstorm sessions occur often between engineers, security engineers, architects, and product managers of an application or service. Threats are identified and prioritized, and that information feeds controls into the application development.

Platform-wide Availability and Redundancy

We host with trusted providers

The majority of Obie and his associated resources are hosted with Microsoft Azure, one of the top hosting providers in the world. As we grow, we ensure our improvements to resiliency grow through operational efficiencies, automation, new technologies, and proven practices.

Backups

We have an extensive backup program

Application database backups occur on the following frequencies: daily automated backups are performed and retained for 30 days with support for point in time recovery. All snapshot and backup data is disk encrypted. Backup data is replicated and stored in multiple Azure data centers within the United States. Restore and recovery of these backups will only be provided on our own cloud environment.

Business Continuity and Disaster Recovery

We have comprehensive, tested business continuity and disaster recovery plans

We are determined to not #@!% our customers, and strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.

Encryption and Key Management

All data sent between our customers and our applications is encrypted in transit

All data for our services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

All databases are encrypted at rest. Any images/audio/video uploaded are encrypted at rest. We believe we can rely on the physical controls and management at Microsoft Azure, as well as transit-level encryption, to protect customer data.

Product Vulnerability Management

We take innovative approaches to building quality software
We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assistance (as implemented by Atlassian). We focus on instilling a "whole team" mentality to quality. We also are actively working to empower and educate developers to test their own features to our quality standards.

While we consistently strive to reduce the number of vulnerabilities in our products, we recognize that they are, to an extent, an inevitable part of the development process. We hope to launch a bug bounty program in the future.

Access to Customer Data

Access to customer data stored within applications is restricted on a "need to access" basis

Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during their new-hire onboarding process which covers the importance of and best practices for handling customer data.

Within Obie, only authorized employees have access to customer data stored within our applications. Authentication is done via individual passphrases, 2-factor authentication, passphrase-protected public keys, and IP-whitelisting so that our servers only accept incoming connections from the Obie network and internal data center locations.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Physical access to our data centers, where customer data is hosted, is governed by Microsoft Azure and outlined here.

Support Access

Our support teams will only access customer data when necessary to resolve an open ticket
Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

Training and Awareness

Our security training and awareness program doesn't just check compliance boxes but results in a genuine uplift in knowledge across the company
Our awareness program is built on the premise that security is everyone's responsibility. Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the new-hire onboarding process, security awareness courses are delivered to these new hires.

Keeping in line with the theme of "continuous improvement", we disseminate security messages through company-wide email messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and publicised threat, and reinforces the importance of following security best practices.

Change Management

We have embraced open source style change management

Traditional change management processes rely on a pyramid-style change control hierarchy. When someone wants to make a change, it has to be presented to a board that either approves or denies it. We have embraced a better way. Each change, whether going into our code or infrastructure, has a requirement to be reviewed by one or more peers to identify any issues the change may cause. We increase the number of reviews based on the criticality of the change or product. We trust our development teams and engineers to identify security issues and performance issues, and to flag the change before we allow it to go through. Relatedly, we use continuous integration tools to identify whether any of the changes, once merged into the main branch, will create issues through our integration, unit, functional or security tests. If there are no issues identified in the build and test phases, the build process was successful and the change is ready for Production. If there are issues, the merge will then be re-evaluated to identify the changes that are causing it.

Employee Hiring

We strive to hire the best

Just like any company, we want to attract and hire the best and the brightest to work for us. We publicly welcome all new hires and challenge them to do the best work of their lives and to seek to change Obie for the better. We want their wealth of talent to make us a better company each day and each week. During recruiting, we perform employment background checks. On acceptance of an offer, we ensure each new hire has a 90-day onboarding plan and access to ongoing training based on their role.

Your Data

All data you enter into Obie remains yours, and the Obie team is committed to ensuring that your data is kept safe and confidential. We do not copy or clone your documents in any way.

Obie does store some data on our servers. He collects answers you store via chatting with him, and in the Dashboard as 'Books' 'Pages' & 'FAQs'. For third-party providers, file metadata such as ID and title is stored. Your authorization tokens for any third parties are also collected, which allow Obie to search, but come with strict restrictions (see Third-Party Applications below).

Third-Party Applications

When connecting Obie to third-party applications (such as Google, Confluence, Dropbox, etc.), he uses their respective APIs and only asks for the lowest available read-only permission-set afforded to him by the provider. These permission sets always have to be explicitly approved by the person connecting Obie.

Third-Party Permissions

The Obie team has taken great care to ensure that users are unable to escalate their permissions on the dashboard, or any third-party platform, by interacting with Obie. He may bring back search results that not everyone on your team can access, but the third-party will verify whether that person has access to the document beyond the title. The third party will often prompt to "request access to the document" if the user does not have permission.