All of us here at Accelo appreciate the trust that you, our clients, are placing in the Accelo platform. You're trusting us with some of your most important business information, and you're trusting us to be there for you as you're running your business, available, and working as hard and long as you do.
In light of this, we wanted to share some details about how we approach critical issues such as operations and security. While we can't be as forthcoming as we'd like to be (since disclosing too much information gives people who don't have our, or your, best interests at heart an advantage), the information below should help give you a sense of how we work here at Accelo.
In addition to encrypting the data between you and Accelo in transit, we also encrypt all of your data at rest. This Encryption at Rest uses the industry-standard AES-256 encryption algorithm to encrypt data on the server that hosts your data.
This ensures that the content on our servers is only accessible in our controlled systems environment, and should someone get their hands on a hard drive or other data source they wouldn't be able to unlock it without the key.
The security and quality control embedded into Key Management Service (KMS) we use have been validated and certified by the following compliance schemes:
Accelo's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Our systems work with two forms of backup - hot failover of real-time systems (so, if a primary should fail, the secondary is ready to go instantly) and backups of data (so that mistakes like deleting critical data can be "undone"). Backup snapshots are taken daily, and a weekly backup of data which we keep for a much longer period.
In addition to the security precautions we take, we also make it easy for you to enforce good security practices on how you and your colleagues access your data in Accelo.
With support for Two Factor Authentication, Strong Password Policies, Delegated Access to Google, and Automated Account Lockout, you're able to control how you and your team access your data and the Accelo system.
Like your business, our business depends on the integrity and capabilities of our people, operating with the support and coordination of our processes.
When it comes to your business data stored in our cloud infrastructure, access is tightly controlled. Only a very small subset of Accelo's engineers have access to production systems at the engineering level, and access is controlled by SSH keys that are centrally managed by an orchestration infrastructure (we use Puppet).
When our developers from time to time require access to debug something specific, they request an encrypted export of a subset of data, which is then transferred via an encrypted channel (SSH 2.0 protocol using SHA-256 keys) and worked on in development environments that are also encrypted at rest.
Operationally, the development environments are completely separated from the production systems, ensuring tight control on access to your data and ensuring work by developers can't touch or interact with your production data. The development environments are still actively managed by our DevOps team, ensuring consistency and control over even development environments is tightly managed too.
The only access to a client's account for our support staff to use is via the Accelo application itself, and all accesses are logged, showing the user and the timestamp of their login/use. We have strong policies that this is only undertaken to replicate or confirm a specific bug/issue when alerted by a client, and all of our team members must sign stringent confidentiality agreements before starting with the company. Any abuse of this monitored/logged access is grounds for instant termination.
Servers, websites, and applications are created by people, and from time to time bugs and vulnerabilities are discovered in the underlying software platforms that power Accelo. We rely solely on Open Source software (including OpenSSH, Apache, MySQL, Mongo, ElasticSearch, Kibana, Puppet, Postfix, and others) and we ensure we use widely adopted, supported, and maintained versions of these products.
On the occasion that a vulnerability is found in one of these platforms (eg, Heartbleed) our operations team move fast (in the case of Heartbleed, we had patched all systems within 90 minutes). With a team watching these things around the clock, a mixture of expertise, vigilance, and doing things right ensures your data is protected and secure, much more so than it would be sitting on a server in the corner of your office.
Of course, secure systems managed by professional, vigilant people aren't much use if they aren't resilient or the company providing the service isn't on a sound financial footing. The good news is that Accelo's setup, choice of vendors, and own operating position are strong, ensuring resilience and continuity into the future.
Accelo uses Amazon Web Services (AWS) to provide all of our infrastructure needs, the world's largest cloud provider with more than twice the market share of the next three largest Infrastructure as a Service (IaaS) providers combined. We currently utilize the AWS cloud in North America (Oregon availability zone), Europe (Ireland availability zone), and Asia-Pacific (Sydney availability zone).
Within each zone we use multiple independent systems to provide load balancing (Enterprise Load Balancers, or ELB service), compute power (Elastic Compute Cloud, or EC2 service), scalable and redundant databases (Relational Database Service, or RDS), and storage (S3, EFS, and Glacier). We also make use of Amazon's distributed DNS service (Route53), system monitoring services (Cloudwatch), and security/key stores (KMS).
Our compute architecture uses Auto-Scaling Groups (ASGs) to ensure that as the load increases our systems automatically scale up to meet the demand. When it comes to redundancy, key services like our databases are always running in a redundant configuration, ensuring that if one service drops its twin/redundant service is already running and ready to take over automatically.
In addition to our use of the world's largest cloud company to provide confidence and continuity for our clients, Accelo itself is on a strong financial footing. While we don't disclose revenues, Accelo is growing very strongly and the increasing revenues from our thousands of paying users to ensure we're quite capable of not only maintaining services but also investing in continuous improvement across the product.
In addition to our continuity, we also make it possible for all of our clients to export all of their own data in its native SQL format for their own use and retention. We believe very strongly at Accelo that your data is absolutely your data, and we make sure you're able to take it out of the platform for your own peace of mind or curiosity any time you wish.
Accelo is audited at least once a year by an external security audit firm. The specifics of this engagement are commercially confidential, but as one of only three companies trusted to perform audits by the world's largest tech companies, we are confident in the competence and thoroughness of this annual audit cycle (which takes many months).
Our external auditors assess our security by looking at the following key areas:
