Aidora Security Overview
Aidora has a strong commitment to safeguarding user data and maintaining high standards of data security.
Overview
Our stringent authentication mechanisms will ensure that the platform is secure, with features like magic links to leverage multi-factor security implemented by the client and OAuth integrations with major service providers such as Google.
Our application will be hosted on top-tier providers and will be designed to ensure optimal availability and security. Our databases will be constantly backed up and will support Point-In-Time Recovery for maximum business continuity and disaster recovery.
As a small and nimble company, we stay abreast of the latest security requirements and updates. Employee access to our systems will be strictly controlled and monitored, with comprehensive security training provided from the onset. Additionally, we've adopted automated security and compliance checks with Vanta, which will test our systems at an hourly frequency.
Overall, we aim to provide a platform that gives you control over your data and peace of mind with our rigorous security measures and adherence to best practices.
Information
SOC 2 Type II
We have partnered with Vanta to acquire SOC 2 Type II Compliance certification, ensuring that we have state of the art security measures in place. We can provide the engagement letter with our Auditor upon request.
HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996 applies to Protected Health Information (“PHI”) received from a Covered Entity (healthcare provider, plan or clearinghouse) or Business Associate (claims processing, billing). The definition of PHI expressly excludes both (1) general HR data and (2) workers compensation related data held by employers. Specifically, HIPAA does not regulate the employer’s use and disclosure of medical information related to the Family Medical Leave Act of 1993 (“FMLA”).
Therefore, while HIPAA does not apply to Aidora, we take security very seriously and have other measures in place as outlined in this document to protect your employees’ data.
Application
Our application is available on the web, and is protected through various layers of security.
We partner with Cloudflare to use their state of the art Web Application Firewall (WAF), creating a shield around our application. This shield filters and monitors HTTP traffic between our application and the public internet, protecting the application from attacks such as distributed denial of service (DDoS), cross-site forgery, cross-site-scripting, SQL injection, and many more.
Our application will ensure that data is encrypted with the latest industry standards: at rest using the Advanced Encryption Standard (AES-256) and in transit using TLS. We will capture all changes of data in the system; facilitating auditing, compliance, forensics, and non-repudiation.
We will incorporate a suite of unit, integration, and end-to-end tests that ensure optimal quality and performance of our product. Development, preview, and release environments will be distinct and a Continuous Integration (CI) system will be responsible for automated code builds allowing for immediate release and rollback of the platform in the off chance there's an issue found in production. In addition to deployment, the CI system will handle automated vulnerability scanning of libraries, static code analysis, and open source license scanning to ensure we remain compliant.
Access to the platform will be restricted to invited members. Authentication mechanisms will include magic links and OAuth with major providers such as Google.
Infrastructure
We partner with best-in-class infrastructure providers. Our application will be hosted on Vercel and our databases will be hosted on Supabase, both of which are SOC 2 Type lI compliant infrastructure providers.
Availability of our infrastructure will be continuously monitored and can identify anomalous activities, immediately alerting our engineering team of any potential issues.
Our databases will be continuously backed up, allowing us to perform Point-In-Time Recovery (PITR) and ensure business continuity and disaster recovery.
Business Processes
Security is a moving target and requirements change every day just as technology changes. Because we are a small and nimble company we can keep up with the latest security requirements by not only testing and deploying the latest security patches, but by quickly educating our employees with the latest security best practices.
Employees will be selected after rigorous vetting (including a background check) and undergo an annual security training. Permissions to systems will be checked regularly and will only be granted as needed to ensure data privacy.
All laptops will be managed centrally through a device management suite and ensure that hard drives are encrypted, a strong password is set, and that the laptop automatically locks when idle.
We have partnered with Vanta to provide ongoing automated security and compliance checks, ensuring we are compliant at all times. You will be able to check in real time if we are compliant by going to our trust page.
All identified issues that are high priority are resolved within our internal SLA of 3 business days.
About Aidora
HR teams grapple with the increasing complexity of managing leaves of absences due to the rise of distributed workforces and the addition of new state leave laws.
Aidora is a cloud-based software tool that enables HR teams to efficiently manage leave of absences in-house, while ensuring legal compliance and a positive employee experience.
For more information or specific questions about our security standards, please contact our team at it@getaidora.com