All of us here at Accelo appreciate the trust that you, our clients, are placing in the Accelo platform. You're trusting us with some of your most important business information, and you're trusting us to be there for you as you're running your business, available, and working as hard and long as you do.
In light of this, we wanted to share some details about how we approach critical issues such as operations and security. While we can't be as forthcoming as we'd like to be (since disclosing too much information gives people who don't have our, or your, best interests at heart an advantage), the information below should help give you a sense of how we work here at Accelo.
Every connection between you, our users, and Accelo is encrypted using Transport Layer Security (TLS - the successor to Secure Sockets Layer, or SSL). We use the TLS 1.2 protocol, 256-bit RSA key exchange, and a 128 bit AES encryption cipher. This also includes all traffic between our smartphone apps and Accelo servers and all of our APIs.
If you or your colleagues accidentally enter a URL without encryption, we automatically switch it over to SSL by force using a redirect before responding.
The effect of this is it makes it very difficult for someone sitting in the network to inspect your data - if you were to be sitting in a coffee shop on an open/unsecure WiFi network, your traffic to Accelo would be just a scrambled mess to someone "eavesdropping".
Additionally, all of the points at which Accelo synchronizes with other services - including Google Apps, Office365, Xero, Zapier, and others - are encrypted using TLS. The only channel that Accelo allows unencrypted traffic to connect to us is SMTP (email) - this is for historical, legacy, and compatibility reasons.
In addition to encrypting the data between you and Accelo in transit, we also encrypt all of your data at rest. This Encryption at Rest uses the industry-standard AES-256 encryption algorithm to encrypt data on the server that hosts your data.
This ensures that the content on our servers is only accessible in our controlled systems environment, and should someone get their hands on a hard drive or other data source they wouldn't be able to unlock it without the key.
The security and quality control embedded into Key Management Service (KMS) we use have been validated and certified by the following compliance schemes:
AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can request a copy of these reports from AWS Compliance.
PCI DSS Level 1. For more details on PCI DSS-compliant services in AWS, you can read the PCI DSS FAQs.
ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
In the evaluation for FIPS 140-2. For more details, you can view the FIPS 140-2 Implementation Under Test List.
Accelo's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Our systems work with two forms of backup - hot failover of real-time systems (so, if a primary should fail, the secondary is ready to go instantly) and backups of data (so that mistakes like deleting critical data can be "undone"). Backup snapshots are taken daily, and a weekly backup of data which we keep for a much longer period.
In addition to the security precautions we take, we also make it easy for you to enforce good security practices on how you and your colleagues access your data in Accelo.
With support for Two Factor Authentication, Strong Password Policies, Delegated Access to Google, and Automated Account Lockout, you're able to control how you and your team access your data and the Accelo system.
Two Factor Authentication: this involves the combination of something you know (your password) and something you have (usually your smartphone) to make it a lot harder for someone to get into your account even if they have/guess your password. For more information about setting it up with your Accelo account, check out our Two-Factor Authentication help guide.
Strong Password Policies: Accelo also makes it easy for administrators to set strong password policies. These include enforcing minimum password lengths, character combinations, ensuring they don't use usernames/emails or a part thereof, that they aren't the same as recently used passwords, can't be changed too frequently or too infrequently.
Delegated Access Control to Google Apps: For accounts linked to Google Apps (now known as G-Suite) via Accelo's marketplace app, administrators can require that users have to use Google's sign-in/authentication infrastructure. This ensures that there's a single authentication pathway and allows you to "shelter" behind the protection of the security team securing the world's largest online account manager.
Automated Account Lockout: All Accelo accounts are protected by automated account lockout - if a user's account has the incorrect password entered more than 5 times in 30 minutes, their account remains locked for 30 minutes and can only be unlocked in the interim by an administrator (or via password reset email). This is designed to thwart dictionary attacks - where a bot tries to guess a user's password.
Like your business, our business depends on the integrity and capabilities of our people, operating with the support and coordination of our processes.
When it comes to your business data stored in our cloud infrastructure, access is tightly controlled. Only a very small subset of Accelo's engineers have access to production systems at the engineering level, and access is controlled by SSH keys that are centrally managed by an orchestration infrastructure (we use Puppet).
When our developers from time to time require access to debug something specific, they request an encrypted export of a subset of data, which is then transferred via an encrypted channel (SSH 2.0 protocol using SHA-256 keys) and worked on in development environments that are also encrypted at rest.
Operationally, the development environments are completely separated from the production systems, ensuring tight control on access to your data and ensuring work by developers can't touch or interact with your production data. The development environments are still actively managed by our DevOps team, ensuring consistency and control over even development environments is tightly managed too.
The only access to a client's account for our support staff to use is via the Accelo application itself, and all accesses are logged, showing the user and the timestamp of their login/use. We have strong policies that this is only undertaken to replicate or confirm a specific bug/issue when alerted by a client, and all of our team members must sign stringent confidentiality agreements before starting with the company. Any abuse of this monitored/logged access is grounds for instant termination.
Servers, websites, and applications are created by people, and from time to time bugs and vulnerabilities are discovered in the underlying software platforms that power Accelo. We rely solely on Open Source software (including OpenSSH, Apache, MySQL, Mongo, ElasticSearch, Kibana, Puppet, Postfix, and others) and we ensure we use widely adopted, supported, and maintained versions of these products.
On the occasion that a vulnerability is found in one of these platforms (eg, Heartbleed) our operations team move fast (in the case of Heartbleed, we had patched all systems within 90 minutes). With a team watching these things around the clock, a mixture of expertise, vigilance, and doing things right ensures your data is protected and secure, much more so than it would be sitting on a server in the corner of your office.
Of course, secure systems managed by professional, vigilant people aren't much use if they aren't resilient or the company providing the service isn't on a sound financial footing. The good news is that Accelo's setup, choice of vendors, and own operating position are strong, ensuring resilience and continuity into the future.
Accelo uses Amazon Web Services (AWS) to provide all of our infrastructure needs, the world's largest cloud provider with more than twice the market share of the next three largest Infrastructure as a Service (IaaS) providers combined. We currently utilize the AWS cloud in North America (Oregon availability zone), Europe (Ireland availability zone), and Asia-Pacific (Sydney availability zone).
Within each zone we use multiple independent systems to provide load balancing (Enterprise Load Balancers, or ELB service), compute power (Elastic Compute Cloud, or EC2 service), scalable and redundant databases (Relational Database Service, or RDS), and storage (S3, EFS, and Glacier). We also make use of Amazon's distributed DNS service (Route53), system monitoring services (Cloudwatch), and security/key stores (KMS).
Our compute architecture uses Auto-Scaling Groups (ASGs) to ensure that as the load increases our systems automatically scale up to meet the demand. When it comes to redundancy, key services like our databases are always running in a redundant configuration, ensuring that if one service drops its twin/redundant service is already running and ready to take over automatically.
In addition to our use of the world's largest cloud company to provide confidence and continuity for our clients, Accelo itself is on a strong financial footing. While we don't disclose revenues, Accelo is growing very strongly and the increasing revenues from our thousands of paying users to ensure we're quite capable of not only maintaining services but also investing in continuous improvement across the product.
In addition to our continuity, we also make it possible for all of our clients to export all of their own data in its native SQL format for their own use and retention. We believe very strongly at Accelo that your data is absolutely your data, and we make sure you're able to take it out of the platform for your own peace of mind or curiosity any time you wish.
Accelo is audited at least once a year by an external security audit firm. The specifics of this engagement are commercially confidential, but as one of only three companies trusted to perform audits by the world's largest tech companies, we are confident in the competence and thoroughness of this annual audit cycle (which takes many months).
Our external auditors assess our security by looking at the following key areas:
Subject to signing a non-disclosure agreement (NDA) to protect the security and confidentiality of the work and methods of our auditors, we can share details from our most recent audit in the form of our Remediation Report and Security Outcomes. Please contact your Account Manager to find out more.
To report a vulnerability, send an email to firstname.lastname@example.org
We absolutely do. If you see something that you think represents a security vulnerability or issue, please email email@example.com. We appreciate insights and suggestions, but do not provide financial compensation.
Absolutely not. Rather than support ad hoc bug reports via a bounty program, we work with a range of external vendors - choosing who to engage with, the financial rewards of engagement and ensuring that the work of these specialists doesn't disrupt our paying clients.