All of us here at Accelo appreciate the trust that you, our clients, are placing in the Accelo platform. You're trusting us with some of your most important business information, and you're trusting us to be there for you as you're running your business, available and working as hard and long as you do.
In light of this, we wanted to share some details about how we approach critical issues like operations and security. While we can't be as forthcoming as we'd like to be (since disclosing too much information gives people who don't have our, or your, best interests at heart an advantage), the information below should help give you a sense of how we work here at Accelo.
Every connection between you, our users, and Accelo, is encrypted using Transport Layer Security (TLS - the successor to Secure Sockets Layer, or SSL). We use the TLS 1.2 protocol, 256-bit RSA key exchange and a 128 bit AES encryption cipher. This also includes all traffic between our smartphone apps and Accelo servers and all of our APIs.
If you or your colleagues accidentally enter a URL without encryption, we automatically switch it over to SSL by force using a redirect before responding.
The effect of this is it makes it very difficult for someone sitting in the network to inspect your data - if you were to be sitting in a coffee shop on an open/unsecure WiFi network, your traffic to Accelo would be just a scrambled mess to someone "eavesdropping".
Additionally, all of the points at which Accelo synchronizes with other services - including Google Apps, Office365, Xero, Zapier and others - are encrypted using TLS. The only channel that Accelo allows unencrypted traffic to connect to us is SMTP (email) - this is for historical, legacy and compatibility reasons.
In addition to encrypting the data as it's transferred between you and Accelo, we also encrypt all databases and backups of your data at rest. This Encryption at Rest uses the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts your data.
This ensures that the content on our servers is only accessible in our controlled systems environment, and should someone get their hands on a hard drive or other data source, they wouldn't be able to unlock it without the key.
The security and quality controls embedded into Key Management Service (KMS) we use have been validated and certified by the following compliance schemes:
AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can request a copy of these reports from AWS Compliance.
PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
In evaluation for FIPS 140-2. For more details, you can view the FIPS 140-2 Implementation Under Test List.
Our systems work with two forms of backup - hot failover of real time systems (so, if a primary should fail, the secondary is ready to go instantly) and backups of data (so that mistakes like deleting critical data can be "undone").
All of Accelo's production systems are secured by multi-factor authentication. All login attempts in those systems - successful and unsuccessful - are automatically logged. Logs are automatically monitored for anomalous or suspicious activity.
In addition to the security precautions we take, we also make it easy for you to enforce good security practices on how you and your colleagues access your data in Accelo.
With support for Two Factor Authentication, Strong Password Policies, Delegated Access to Google and Automated Account Lockout, you're able to control how you and your team access your data and the Accelo system.
Two Factor Authentication: this involves the combination of something you know (your password) and something you have (usually your smartphone) to make it a lot harder for someone to get into your account even if they have/guess your password. For more information about setting it up with your Accelo account, check out our Two-Factor Authentication help guide.
Strong Password Policies: Accelo also makes it easy for administrators to set strong password policies. These include enforcing minimum password lengths, character combinations, ensuring they don't use usernames/emails or a part thereof, that they aren't the same as recently used passwords, can't be changed too frequently or too infrequently.
Delegated Access Control to Google Apps: For accounts linked to Google Apps (now known as G-Suite) via Accelo's marketplace app, administrators can require that users have to use Google's sign-in/authentication infrastructure. This ensures that there's a single authentication pathway and allows you to "shelter" behind the protection of the security team securing the world's largest online account manager.
Automated Account Lockout: All Accelo accounts are protected by automated account lockout - if a user's account has the incorrect password entered more than 5 times in 30 minutes, their account remains locked for 30 minutes and can only be unlocked in the interim by an administrator (or via password reset email). This is designed to thwart dictionary attacks - where a bot tries to guess a user's password.
We take the integrity of your data very seriously. In the event of a security breach, Accelo will notify affected parties of the occurrence and scope of the breach directly, and in a timely manner.
Like your business, our business depends on the integrity and capabilities of our people, operating with the support and coordination of our processes.
When it comes to your business data stored in our cloud infrastructure, access is tightly controlled. Only a very small subset of Accelo's engineers have access to production systems at the engineering level, and access is controlled by SSH keys that are centrally managed by an orchestration infrastructure (we use Puppet). We also take advantage of Google's Advanced Protection Program (created specifically for high-value targets), which makes use of industry-leading FIDO security keys to protect against account takeovers.
When our developers from time to time require access to debug something specific, they request an encrypted export of a subset of data, which is then transferred via an encrypted channel (SSH 2.0 protocol using SHA-256 keys) and worked on in development environments that are also encrypted at rest.
Operationally, Accelo's development environments are completely separated from the production systems, ensuring tight control on access to your data and ensuring work by developers can't touch or interact with your production data. The development environments are still actively managed by our security team, ensuring consistency and control over even development environments is tightly managed too.
The only access to a client's account for our support staff is via the Accelo application itself. All accesses are logged, tracking the user and the timestamp of their login/use. We have strong policies that these logins are only undertaken to replicate or confirm a specific bug/issue when alerted by a client, and all of our team members must sign onto stringent confidentiality agreements. Any abuse of this access is grounds for instant termination.
Servers, websites and applications are created by people, and from time to time bugs and vulnerabilities are discovered in the underlying software platforms that power Accelo. We rely solely on Open Source software (including OpenSSH, Apache, MySQL, Mongo, ElasticSearch, Kibana, Puppet, Postfix and others) and we ensure we use widely adopted, supported and maintained versions of these products.
On the occasion that a vulnerability is found in one of these platforms (eg, Heartbleed) our operations team move fast (in the case of Heartbleed, we had patched all systems within 90 minutes). With a team watching these things around the clock, a mixture of expertise, vigilance and doing things right ensures your data is protected and secure, much more so than it would be sitting on a server in the corner of your office.
Of course, secure systems managed by professional, vigilant people aren't much use if they aren't resilient or the company providing the service isn't on a sound financial footing. The good news is that Accelo's setup, choice of vendors and own operating position is strong, ensuring resilience and continuity into the future.
Accelo uses Amazon Web Services (AWS) to provide all of our infrastructure needs, the world's largest cloud provider with more than twice the market share of the next three largest Infrastructure as a Service (IaaS) providers combined. We currently utilize the AWS cloud in North America (Oregon availability zone), Europe (Ireland availability zone) and Asia-Pacific (Sydney availability zone).
Within each zone we use multiple independent systems to provide load balancing (Enterprise Load Balancers, or ELB service), compute power (Elastic Compute Cloud, or EC2 service), scalable and redundant databases (Relational Database Service, or RDS) and storage (S3, EFS and Glacier). We also make use of Amazon's distributed DNS service (Route53), system monitoring services (Cloudwatch & GuardDuty) and security/key stores (KMS) as well as Identity and Access Management (IAM) with two-factor authentication.
Our computer architecture uses Auto-Scaling Groups (ASGs) to ensure that as load increases our systems automatically scale up to meet the demand. When it comes to redundancy, key services like our databases are always running in a redundant configuration, ensuring that if one service drops its twin/redundant service is already running and ready to take over automatically.
In addition to our use of the world's largest cloud company to provide confidence and continuity for our clients, Accelo itself is on a strong financial footing. While we don't disclose revenues, Accelo is growing very strongly and the increasing revenues from our thousands of paying users ensure we're quite capable of not only maintaining services but also investing in continuous improvement across the product.
In addition to our continuity, we also make it possible for all of our clients to export all of their own data in its native SQL format for their own use and retention. We believe very strongly at Accelo that your data is absolutely your data, and we make sure you're able to take it out of the platform for your own peace of mind or curiosity any time you wish.
Accelo periodically engages leading, external security professionals to audit and verify our security posture, policies and processes.
Accelo recently undertook an extensive audit with Bishop Fox, one of two companies trusted by Google to perform these kinds of audits of leading cloud software vendors.
Bishop Fox works with over a quarter of the world's largest companies, 80% of the largest companies in the technology industry and has developed a strong pattern of both security consulting (2300+ engagements in the last 15 years) and security research (discovery and disclosure of vulnerabilities in Connectwise Control).
This audit included internal policy reviews, high touch investigations of the application security, and an extensive suite of penetration tests of Accelo's cloud infrastructure. Further details about this audit and letter of compliance can be provided to clients under NDA with Accelo upon request.