Security & Privacy
[
Security
]

Persefoni 

Security & Privacy

 Center

Cookie Declaration
Security
Persefoni Privacy Policy

Security at Persefoni

Last Updated: October 6, 2023

Overview

From inception, Persefoni recognized the need to have security architected throughout the Persefoni Climate Management & Account Platform (CMAP) and our supporting services. Our customers share data to calculate their carbon footprint and expect their data to be kept secure and confidential. To that end, we have invested heavily in our platform to enable enterprise-grade security features and processes. With this, Persefoni's security posture is guided and maintained by four (4) security principles as described further on this page:

  1. Provision and Manage Users with the Principle of Least Privilege
  2. Architect and Develop for Security and Privacy
  3. Train and Educate on Security Repeatedly
  4. Align and Comply with Industry Security Standards

For further information of Persefoni's security and privacy controls or to request copies of Persefoni's audit reports and certifications, please visit Persefoni's Trust page.

Shared Security Responsibility Model (SSRM)

As a Software as a Service (SaaS) application hosted in Amazon Web Services (AWS), we maintain a list of security responsibilities that are shared between AWS, Persefoni, and Persefoni’s customers. At a summary level those responsibilities are: 

  • AWS is responsible for the physical data centers, networking, perimeter security, hardware configurations, and availability of the Platform-as-a-Service (PaaS) services provided to Persefoni for use in the CMAP. 
  • Persefoni is responsible for security configurations including but not limited to data encryption at rest and in transit, network and firewall restrictions, and application, database,  container, and infrastructure security.
  • Persefoni's customers are responsible for the proper use of and security access configurations in the CMAP. Other responsibilities include but are not limited to user setup and management, user access reviews, data quality, data classification standards, third-party integration setup, and, as applicable, the single sign-on (SSO) setup.

Principle 1: Provision and Manage Users with the Principle of Least Privilege

  • The security principle of "least privilege" is utilized across all Persefoni systems. Access to platform code and data depends on the resource’s role, and production access by employees is particularly controlled and restricted.
  • Persefoni utilizes Privileged Access Management (PAM) to manage and audit access to production environments. Using PAM, developers must request access to a production environment and the request must be approved by Persefoni’s Engineering leadership. Once access is granted, the access duration is limited to a specific duration and activity logs are available for later review.
  • Persefoni reviews Persefoni personnel access to all  systems at least quarterly.
  • Customers are responsible for reviewing access to their Persefoni account following their own access review policies and procedures. Persefoni resources with direct access to customer accounts are always shown in Persefoni User Manager screen, so customers have a full view of all users with access to their data.

Principle 2: Architect and Develop for Security and Privacy

Architecture

  • The Persefoni CMAP consists of a multi-tier, multi-tenant SaaS application hosted in AWS and is architected into four distinct tiers or layers: the highly protected database tier, API tier, front-end tier, and web browser (which is managed by the customer). 
  • Web application firewalls, security groups, access control lists, and other security detection and control mechanisms are deployed between layers to provide multiple layers of protection between the internet and database tier. 

Authentication

  • Persefoni supports identity provider (IdP) initiated SSO via the SAML protocol with IdPs such as Okta, Microsoft, and Ping. 
  • If SSO is not utilized, and username and password authentication is chosen instead, Persefoni supports multi-factor authentication and IP allow listing to enhance access control to the CMAP. In this configuration, passwords are hashed with bcrypt and salted. 

Data Storage and Backup

  • Persefoni's multi-tenant architecture concurrently stores data in AWS US-East 2 (Ohio), US-East 1 (Virginia), EU-West 1 (Ireland), and AP-Northeast 1 (Tokyo). Note: If you have specific data residency needs, please ask your Persefoni Sales Representative about Persefoni's single tenant architecture model.
  • Data within the Persefoni Platform is backed up continuously and can be restored to any point in the last 72 hours. 
  • Additionally, backups are taken each day and maintained for at least a year. 
  • Backups will always be encrypted using Advanced Encryption Standard (AES) 256-bit encryption and are stored in secure, geographically dispersed AWS S3 buckets.

Encryption

  • Persefoni utilizes encryption at rest using Advanced Encryption Standard (AES) 256 and encryption in transit via TLS 1.2 or above. Persefoni also utilizes Perfect Forward Secrecy (PFS) ciphers for data transmission outside the CMAP.
  • Persefoni's multi-tenant architecture utilizes AWS managed encryption keys. Note: If you require customer managed encryption keys, please ask your Persefoni Sales Representative about Persefoni's single tenant architecture model.

Monitoring & Logging

  • Persefoni maintains monitoring and logging for each level of the platform's architecture, including databases, containers, load balancers, firewalls, and other application components.
  • Persefoni maintains all log information for at least one year for security reviews.
  • If a security event is identified to be a threat, Persefoni Engineering and Information Security teams are notified immediately to triage, classify, contain, and remediate the security event or incident, including details such as the time of the event and impact to the platform.

Physical Security

  • Persefoni is hosted in Amazon Web Services (AWS), and AWS data centers maintain several physical security controls to protect Persefoni and customer data. Persefoni reviews and validates AWS security controls at least annually to affirm they are operating effectively. Please navigate the AWS Compliance page for further information on its data center controls. 

Secure Development Lifecycle (SDLC)

  • Persefoni implements automated and manual review processes to ensure quality and security assurance in our software development processes starting from product design and feature creation through deployment to production.
  • Static Application Security Testing (SAST) of the platform's containers, software packages, and code is conducted with each software build.

Vulnerability Management

  • Persefoni is vulnerability tested and secured through several threat management processes, including:
  • External network vulnerability scanning is conducted monthly.
  • Penetration testing is conducted at least quarterly by a third-party vendor, including the following testing types:
  • External Network
  • API
  • Gray Box Application

Network & System Hardening Standards

  • Persefoni implements its application infrastructure and network configurations with guidance from industry-leading security standards such as NIST Cybersecurity and CIS Level 2 frameworks.
  • Persefoni maintains and executes security baseline requirements for each layer of the platform architecture.

Principle 3: Train and Educate on Security Repeatedly

  • All Persefoni employees and contractors undergo security awareness and data privacy training upon hire and annually thereafter.
  • All Persefoni employees and contractors undergo criminal background checks before starting at Persefoni.
  • All Persefoni Engineering personnel undergo secure development + OWASP 10 training upon hire and annually thereafter.
  • Informal security awareness training is conducted every two weeks during Persefoni all company meetings.

Principle 4: Align and Comply with Industry Security & Privacy Standards 

Security Compliance

  • Persefoni maintains a robust information security management system (ISMS) that a third-party auditor audits annually to maintain compliance with the following industry-standard security frameworks:
  • SOC 1 Type II: An attestation that provides an external auditor’s validation that Persefoni maintains appropriate controls around the Climate Management and Accounting Platform (CMAP) for customer financial reporting purposes (specific to carbon accounting). Persefoni received a clean, unqualified audit report with no exceptions.
  • SOC 2 Type II: An attestation that provides an external auditor’s validation that Persefoni's security controls were in place and effective for the report’s coverage period as related to the American Institute of Certified Public Accountant's (AICPA) trust service principles. Persefoni was audited against the Security, Availability, and Confidentiality trust service principles and received a clean, unqualified audit report with no exceptions.
  • ISO 27001: A certification that provides external auditor validation that an effective Information Security Management System (ISMS) has been established to identify and manage information risks through a comprehensive set of company-wide processes and security controls, including procedures and controls that continually improve the ISMS. To access our ISO 27001 certification, please enter our registrant name, “Persefoni AI” in the link here.
  • ISO 27017: A certification that provides external auditor validation that Persefoni's ISMS includes controls for the secure management of Persefoni's cloud infrastructure as well as cloud service security for users of the Persefoni CMAP. To access our ISO 27017 certification, please enter our registrant name, “Persefoni AI” in the link here. Note: ISO 27017 is an extension of the ISO 27001 security framework, and as such, Persefoni's ISO 27017 certification is included in Persefoni's ISO 27001 certificate.
  • CSA STAR Level 2 Gold: A certification that provides external auditor validation that Persefoni’s security controls are implemented according to the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ). To access our CSA STAR certificate and CAIQ, please navigate the CSA Registry in the link here.

Privacy Compliance

  • Persefoni is prepared to comply with obligations applicable to it according to global data protection laws, including GDPR and CCPA. Please see our Privacy Policy for further information on your data privacy rights and how we comply with these regulations.
  • Since Personally Identifiable Information (PII) is not required for carbon accounting calculations, Persefoni stores and processes very limited PII. Only users’ first name, last name, business email address, and IP address are stored in order to support authentication, logging, and audit requirements.
  • Further to the shared data security responsibility principles, Persefoni specifically requests that customers do not upload other PII to the CMAP.
Close
Get the latest updates straight to your inbox
Sign up for our newsletter and stay ahead of the curve. With every edition, you'll receive the latest news, updates, and insights from our experts, straight to your inbox.
© 2024 Persefoni AI. All rights reserved.
LegalSecurityPrivacyStatus
Do not sell or share my personal information
Language