Security is our top priority.
MaxusAI works hard to keep your data safe, secure, and private.
We take our security responsibility to you very seriously.
- Data privacy – The AWS infrastructure puts strong safeguards in place to help protect customer privacy. All data is stored in highly secure AWS data centres
- Data sovereignty – Customers always retain control of which AWS Region(s) are used to store and process their content. This allows our customers with geographic-specific requirements to establish environments in a location(s) of their choice.
- Data compliance – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.
- Scalability – Security scales with your AWS cloud usage. No matter the size of your company, the AWS infrastructure is designed to keep data safe.
MaxusAI aligns to SOC 2 / ISO 27001. We’ve given a lot of thought to how we’ve designed and built our application and infrastructure to deliver performance, stability and security to our customers.
We neither store nor transmit your credit card information. We use WooCommerce Subscription with Stripe, a PCI Level 1 compliant payment processor to handle all credit card transactions. All of our data is encrypted in transit and at rest.
Hosting and Database Storage
MaxusAI’s infrastructure is hosted within Amazon Web Services, one of the most sophisticated and secure Cloud platforms on the planet. This gives us a leg up in terms of security and best practice, as AWS has been battle-tested and hardened over many years to be able to protect against many events which may potentially compromise security. At MaxusAI, we use a combination of AWS services to build our services, whose boundaries are clearly defined through appropriately configured Virtual Private Cloud (VPC) and Infrastructure Access Management (IAM) policies.
Specifically, AWS provides MaxusAI the ability to:
- Secure and encrypt customer data at rest and in transit.
- Detect and handle Distributed Denial of Service (DDOS) attacks through easy monitoring and scaling of our core application services.
- Detect and block suspicious activity through monitoring/alarming and secure firewall configuration.
- Ensure that MaxusAI infrastructure is always up to date with the latest security and software patches through a system of automated and scheduled updates.
Encrypting Data in Transit
All HTTP traffic to MaxusAI runs over an SSL-encrypted connection and we only accept traffic on port 443. In addition, our websites and API endpoints provide HTTP Strict Transport Security (HSTS) headers, to ensure connections are made with SSL.
Encrypting Data at Rest
MaxusAI’s backend is supported by a MySQL database and has implemented Object Relational Mapper (ORM) technology to persist data. All data at rest and associated keys are encrypted using the industry-standard AES-256 algorithm.
Static files, such as images and other documents are persisted using AWS S3 storage. All static files are stored securely so while at rest they are encrypted.
AWS Security Practices
Amazon Web Services undergoes recurring assessments to ensure compliance with industry standards and continually manages risk.
By using AWS as a data centre operations provider, our data centre operations are accredited by:
Password Policy and Storage
During account creation and password update, MaxusAI requires a strong password that has eight characters or more, and contains numbers as well as lower- and upper-case letters. Visually, this requirement is displayed to the user through a password strength meter to encourage users to provide stronger passwords.
We do not store user passwords in plain text: we only store one-way encrypted password hashes using the most secure hashing method supported by phpass which is the OpenBSD-style Blowfish-based bcrypt. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date.
This algorithm uses a number of iterations or rounds of hashing and would require and enormous amount of computation power to break. This deliberately slows down attackers, making attacks against hashed passwords much harder.
At MaxusAI we are always on the lookout for ways to increase security and plan to support two-factor authentication and additional account notifications for sensitive account changes (like a password change) in an upcoming version.
XSS and CSRF Protection
To prevent Cross-Site Scripting attacks (XSS), input and output is escaped using PHP sanitization and filter functions before sending it to the user’s browser. In addition, within the MaxusAI API we ensure that endpoints cannot be abused to obtain elevated privileges through exploits. This is done via rigorous permissions checks when calling an API endpoint. MaxusAI also employs strict Cross-Origin Resource Sharing (CORS) headers to enforce origins request types for backend API requests.
We require all employees to use strong, unique passwords for MaxusAI accounts, and to set up two-factor authentication with each device and service where available. Access to application admin functionalities is restricted to a subset of MaxusAI staff.
Monitoring and Notifications
MaxusAI uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies. Some of our preferred services for logging and notification include AWS CloudWatch, AWS SNS and Datadog (https://www.datadoghq.com/) a modern monitoring & security platform bringing together end-to-end traces, metrics, and logs to make MaxusAI’s applications, infrastructure, and third-party services entirely observable.
MaxusAI development is performed by a small, close-knit team. Code reviews are common practice and a suite of development tools are used to automatically vet the code that is checked in to our repositories, including static type checkers and linters.
At MaxusAI, we invite anyone on the internet to notify us of issues they might find in our application to further strengthen and secure our platform. All vulnerability report submissions are read within hours of receipt and we aim to respond to all submissions within 48 hours.
In the event of a security breach, we have created procedures for resolute reactions, including turning off access to the web application, mass password reset and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all of our users as quickly and openly as possible.