shape-left

Built-in Security

We look at security as an ongoing journey. We continually strive to improve our software development and internal operational processes with the aim of increasing the security of our software and services. Security is built into the fabric of our products and infrastructure. Here are a few ways we build security in as part of the way we work every day.

  • Architecture

    Security is always front of mind

    Obie's cloud security architecture is designed with consideration of a broad range of industry standards and frameworks. Although we haven't gotten official certifications, we know that one day we will, and we are already prepared to pass with flying colors.

    Back to top
  • Network

    Security controls at each layer of the stack

    We implement controls at each layer of the stack, dividing our infrastructure by zones, environments, and services.

    Zone restrictions include limiting office and platform network traffic. Environment separation limits production and development connectivity. Services must be explicitly authorized to communicate with other services through an authentication whitelist.

    We control access to our sensitive networks through the use of virtual private cloud (VPC) routing, firewall rules, and software defined networking. All connectivity is encrypted by default.

    Staff connectivity requires multi-factor authentication. Access to customer data requires explicit review and approval.

    We've also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.

    Back to top
  • Application

    We ensure we're designing in the right controls for cloud threats

    During the product planning and design phase, we take time to understand the specific security risks associated with a product or feature. Although we don't yet use a specific threat modeling framework, brainstorm sessions occur often between engineers, security engineers, architects, and product managers of an application or service. Threats are identified and prioritized, and that information feeds controls into the application development.

    Back to top

Reliability

We know Obie is a key tool for our clients, and the Obie team uses Obie daily, so we understand the importance of reliability and recoverability.

  • Platform-wide Availability and Redundancy

    We host with trusted providers

    The majority of Obie and his associated resources are hosted with Microsoft Azure, one of the top hosting providers in the world. As we grow, we ensure our improvements to resiliency grow through operational efficiencies, automation, new technologies, and proven practices.

    Back to top
  • Backups

    We have an extensive backup program

    Application database backups occur on the following frequencies: daily automated backups are performed and retained for 30 days with support for point in time recovery. All snapshot and backup data is disk encrypted. Backup data is replicated and stored in multiple Azure data centers within the United States. Restore and recovery of these backups will only be provided on our own cloud environment.

    Back to top
  • Business Continuity and Disaster Recovery

    We have comprehensive, tested business continuity and disaster recovery plans

    We are determined to not #@!% our customers, and strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.

    Back to top

Product Security

A common challenge of cloud software is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security. There are a range of security controls we implement to keep Obie and your data safe.

  • Encryption and Key Management

    All data sent between our customers and our applications is encrypted in transit

    All data for our services is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2+ to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

    All databases are encrypted at rest. Any images/audio/video uploaded are encrypted at rest. We believe we can rely on the physical controls and management at Microsoft Azure, as well as transit-level encryption, to protect customer data.

    Back to top
  • Product Vulnerability Management

    We take innovative approaches to building quality software
    We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assistance (as implemented by Atlassian). We focus on instilling a "whole team" mentality to quality. We also are actively working to empower and educate developers to test their own features to our quality standards.

    While we consistently strive to reduce the number of vulnerabilities in our products, we recognize that they are, to an extent, an inevitable part of the development process. We hope to launch a bug bounty program in the future.

    Back to top

Operational Practices

As much as securing our products is a priority, the Obie team also understands the importance of being conscious of the way we conduct our internal day-to-day operations. The concept of "building security in" is the same philosophy we use with our internal processes and influences how our business is conducted.

  • Access to Customer Data

    Access to customer data stored within applications is restricted on a "need to access" basis

    Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during their new-hire onboarding process which covers the importance of and best practices for handling customer data.

    Within Obie, only authorized employees have access to customer data stored within our applications. Authentication is done via individual passphrases, 2-factor authentication, passphrase-protected public keys, and IP-whitelisting so that our servers only accept incoming connections from the Obie network and internal data center locations.

    Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

    Physical access to our data centers, where customer data is hosted, is governed by Microsoft Azure and outlined here.

    Back to top
  • Support Access

    Our support teams will only access customer data when necessary to resolve an open ticket
    Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

    Back to top
  • Training and Awareness

    Our security training and awareness program doesn't just check compliance boxes but results in a genuine uplift in knowledge across the company
    Our awareness program is built on the premise that security is everyone's responsibility. Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the new-hire onboarding process, security awareness courses are delivered to these new hires.

    Keeping in line with the theme of "continuous improvement", we disseminate security messages through company-wide email messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and publicised threat, and reinforces the importance of following security best practices.

    Back to top
  • Change Management

    We have embraced open source style change management

    Traditional change management processes rely on a pyramid-style change control hierarchy. When someone wants to make a change, it has to be presented to a board that either approves or denies it. We have embraced a better way. Each change, whether going into our code or infrastructure, has a requirement to be reviewed by one or more peers to identify any issues the change may cause. We increase the number of reviews based on the criticality of the change or product. We trust our development teams and engineers to identify security issues and performance issues, and to flag the change before we allow it to go through. Relatedly, we use continuous integration tools to identify whether any of the changes, once merged into the main branch, will create issues through our integration, unit, functional or security tests. If there are no issues identified in the build and test phases, the build process was successful and the change is ready for Production. If there are issues, the merge will then be re-evaluated to identify the changes that are causing it.

    Back to top
  • Employee Hiring

    We strive to hire the best

    Just like any company, we want to attract and hire the best and the brightest to work for us. We publicly welcome all new hires and challenge them to do the best work of their lives and to seek to change Obie for the better. We want their wealth of talent to make us a better company each day and each week. During recruiting, we perform employment background checks. On acceptance of an offer, we ensure each new hire has a 90-day onboarding plan and access to ongoing training based on their role.

    Back to top

FAQs

Below are some other frequently asked questions we like to ease your mind about.

  • Your Data

    All data you enter into Obie remains yours, and the Obie team is committed to ensuring that your data is kept safe and confidential. We do not copy or clone your documents in any way.

    Obie does store some data on our servers. He collects answers you store via chatting with him, and in the Dashboard as 'Books' 'Pages' & 'FAQs'. For third-party providers, file metadata such as ID and title is stored. Your authorization tokens for any third parties are also collected, which allow Obie to search, but come with strict restrictions (see Third-Party Applications below).

    Back to top
  • Third-Party Applications

    When connecting Obie to third-party applications (such as Google, Confluence, Dropbox, etc.), he uses their respective APIs and only asks for the lowest available read-only permission-set afforded to him by the provider. These permission sets always have to be explicitly approved by the person connecting Obie.

    Back to top
  • Third-Party Permissions

    The Obie team has taken great care to ensure that users are unable to escalate their permissions on the dashboard, or any third-party platform, by interacting with Obie. He may bring back search results that not everyone on your team can access, but the third-party will verify whether that person has access to the document beyond the title. The third party will often prompt to "request access to the document" if the user does not have permission.

    Back to top

Contact Us

The Obie team takes security seriously. If you have any further questions or concerns about Obie's security, don't hesitate to reach out to security@obie.ai

Back to top