SOC 1/SSAE 16/ISAE 3402
Amazon Web Services now publishes a Service Organisation Controls 1 (SOC 1), Type 2 report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that AWS’s control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.
AWS enables US government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). FISMA requires federal agencies to develop, document, and implement an information security system for its data and infrastructure based on the National Institute of Standards and Technology Special Publication 800-53, Revision 3 standard.
FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure, as well as the third-party audit of the established processes and controls. AWS has received a three-year FISMA Moderate authorization for Infrastructure as a Service from the General Services Administration. AWS has also successfully achieved other ATOs at the FISMA Moderate level by working with government agencies to certify their applications and workloads.
PCI DSS Level 1
AWS has achieved Level 1 PCI compliance. We have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCI-compliant technology infrastructure.
PCI validated services include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC), Amazon Relational Database Service (RDS), Amazon Elastic Load Balancing (ELB), Amazon Identity and Access Management (IAM), and the underlying physical infrastructure and the AWS Management Environment.
AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering our infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC).
ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon’s commitment to providing transparency into our security controls and practices.
AWS’s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification. A copy of our ISO certificate, available to AWS customers, describes the ISMS services and geographic scope.
letzNav Inc is also ISO 27001 certified and the certificate will be provided upon client request.
International Traffic in Arms Compliance
AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to US land.
AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data under ITAR. The AWS GovCloud (US) environment has been audited by an independent third party to validate the proper controls are in place to support customer export compliance programs for this requirement.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US Government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL-terminating load balancers in AWS GovCloud (US) operate using FIPS 140-2 validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment.
apty is GDPR compliant with respect to regulations and provisions for legal protection of personal data of European Union (EU) and European Economic Area (EEA).
apty does not collect and store personal data of individuals. The core functionality of the application is based on the logic of metadata processing. The collected metadata (which is mainly represented by the OS, browser, screen and device details) is:
- transmitted only through Secure channels (HTTPS, default given by letzNav), and
- stored in secure database with standard AES-256 encryption (Heroku standard).
All the data associated with a particular client application resides in the same environment as the client application.
Apty servers store the data created in the Editor and the data sent from the Player. All text, images, and statistical information (usage data) gathered from the Apty Player are stored within Apty’s database servers secured by a dedicated firewall.
Each client is provided with their own database and clients data is properly segregated with no chance of data interference.
Apty’s network and architecture work on Heroku’s physical infrastructure which communicates with Amazon AWS, Amazon EC2, and Amazon RDS. Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and reliability. In order to provide end-to-end security and privacy, AWS has built its services in accordance with the best security practices providing appropriate security features and documents on how to best utilize them. Apty leverages those features and best practices to create a highly secure application environment that ensures confidentiality, integrity, and availability of its data such as what Amazon RDS provides to maintain trust and confidence. Below are the relevant security certifications and accreditation that Apty has incorporated.