AICPA | SOC

Security Overview

The importance of protecting customer data cannot be understated. This page provides some insight on how we keep customer data secure, private, and accurate.

Network Perimeter

Sonic Boom protects its boundaries with a combination of load balancers, firewalls, VPNs, and SSH bastion hosts.

Account Security

User passwords are stored using an irreversible cryptographic hash.

Complex passwords are enforced for our administrative portals, and companies may choose to enforce complex passwords to our user-based application portal.

SSO – We support Single Sign-On using SAML 2.0 in either IdP-initiated or SP-initiated configurations.

Encryption

At rest: Disks where customer data may reside are encrypted using 256-bit AES disk encryption.

In transit: Traffic to the Sonic Boom portals are encrypted in transit using TLS 1.1 or 1.2.

Physical Security

Our data centers have the following accreditations:

  • SOC 2 Type II
  • OIX-2 Certified
  • PCI
  • GLBA compliant
  • HIPAA compliant
  • HITECH compliant
  • FISMA Moderate

Operational Security

Data-at-Rest encryption. In addition to server disks where customer data may reside, this includes every workstation and laptop. Encryption keys are stored separately from the data.

Penetration Testing. Third-party penetration testing and validation of our security program.

Vulnerability Management and Patch Management Program. We perform daily scans using industry-leading tooling on our internal and external networks as well as weekly scans of each of our web applications. Remediation and/or installation of patches is prioritized by severity, and our agile processes allow for immediate patching of our applications and infrastructure after appropriate testing.

Authentication. Administrative and developer access requires two-factor authentication for remote access.

Access Control. Access to systems is granted on a ‘need-to-know’ and ‘least-privilege’ basis, with employees acquiring access only to those systems necessary to perform their job functions.

Change Control. Documented change requests are completed for bug fixes, enhancements and new development, as well as all changes to production infrastructure and configuration.

Audit Logging. Our system operations are logged extensively, and the logs are stored encrypted for at least a 30-day period. If needed, these logs may be mined to investigate incidents or to reconstruct a chain of events.

Organizational Security

We have a comprehensive set of information security policies in place, and employees are required to read and sign key policies upon hire and yearly thereafter.

All employees undergo regular security awareness training and phishing simulations.

All employees are thoroughly vetted using 3rd party background checks.

All employees sign a confidentiality agreement.

Compliance

HIPAA: Sonic Boom is HIPAA compliant.

SOC 2 – Type II / HITRUST:  Sonic Boom has received a favorable and unbiased opinion from a third-party auditing firm validating our SOC 2 compliance with no exceptions or control deviations. Our SOC 2 – Type II report (Security, Availability, and Confidentiality Trust Service Principles) along with HITRUST CSF mapping is available to customers and prospects under NDA.

GDPR: Estimated completion date of February 2019: Sonic Boom has undergone third-party attestation of its GDPR compliance.

Privacy Shield: Estimated completion date of February 2019:  Sonic Boom participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework (waiting on government shutdown to end for application to be finalized).

Highly Available Infrastructure

Redundancy: Sonic Boom maintains a highly available application tier utilizing redundant power circuits and backup battery systems, multi-path Internet, servers built with RAID+BBU arrays, redundant NIC, redundant PWS; databases are configured in either redundant or replicated clusters; application servers are behind redundant, dedicated, highly-available load balancers.

Recoverability: We keep multiple layers of on-site and off-site backups; encrypted, of course. We have documented disaster recovery and business continuity plans in place, and database backups are restored and verified daily.

Availability: Our uptime is 99.996% for the last 12 months as of January 2019. Our status page is available publicly at http://status.sbwell.com/.

Responsible Disclosure

If you discover a vulnerability, please contact us at security@sbwell.com so that we can arrange a secure communications channel. Once we receive your report, we will keep you informed while we remediate the issue as quickly as possible. Your report will be kept confidential and your personal details will not be shared with third parties without your consent.

We ask that you:

  • Do not send confidential information unencrypted.
  • Do not modify or delete production data.
  • Do not cause outages or slowdowns (no automated tooling).
  • Do not reveal or publish the vulnerability until we agree on a mutually-agreed timeframe.

Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.