Encryption of data
Once information is uploaded to the Closely platform, it is encrypted and protected from unauthorized access. Closely employs in-built cloud servers’ capability to encrypt data. When it is subject to transfer, data is shared in hashed format SHA-256 over HTTPS with TLS 1.3 encryption.
Closely uses the
AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys. AWS data centers are claimed to be
secured by design.
Closely also enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).
Securing and backing-up data
All of the data is backed-up automatically in a continuous way, enabling point-in-time recovery. The backups are made and stored by
Backblaze, which is designed for 99.999% durability. We create back-ups weekly, copies are stored for 1 year. All back-ups are
encrypted.
Logical access, permissions and authentication
Access to the production system is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by the Closely Operations Team. Employees with access are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls. All the time, access to data is limited to authorized privileged employees who require it for their job responsibilities. Closely runs a zero-trust corporate network. We have 2-factor authentication (2FA) and strong password policies to ensure access is protected.
Pentests & Vulnerability Scanning
Closely uses third party security tools to continuously scan for and address vulnerabilities. Annually Closely engages independent third-party security experts to perform detailed penetration tests on the Closely service and network.
Closely System Security
All Closely engineers utilize common best practices defined by standards like OWASP and NIST. At least annually, the engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Closely security controls. Closely Quality Assurance (QA) department reviews and tests Closely code base. Dedicated security engineers identify, test, and triage security vulnerabilities in code. Closely logically separates testing and staging environments from the service environment and never uses real data for tests.
Closely has a bug bounty program where individuals who believe they have discovered a vulnerability can advise the Closely Security Team, that will work with the individual to investigate, resolve the issue promptly and reward the first reporter of a vulnerability.
People and Security
All employees complete Security and Awareness training annually and during onboarding. Additionally, employees are trained on privacy by design and by default during monthly training. Closely has a comprehensive set of security policies been regularly updated and communicated to all employees. Closely performs background checks on all new employees in accordance with local laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification (where available according to applicable law). All employee contracts include a confidentiality agreement.