Slemma understands that the confidentiality and integrity of our customers’ information is vital to their business operations. It’s important to our customer that they feel confident that their company’s competitive data is secure and can not be accessed by anyone else. This is why the security of our client’s information is our top priority. We use a multi-layered approach to protect valuable information that comes through Slemma.
A Data Center We Trust
The Slemma.com application is hosted on the Amazon Web Services platform, the undisputed market leader in Cloud Computing. AWS is protected by industry-standard security measures ensuring all hardware and networks meet strict controls. You can read more about Amazon Web Services here. Stringent security and firewall policies are utilized in the Slemma AWS setup to ensure all Slemma AWS resources are well protected.
Slemma maintains strict access control policies for any Slemma administrators that are necessary to maintain the Slemma application on the AWS servers.
Connections to the Slemma application site are encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM) ensuring that all of your data is secure in transmissions to and from Slemma.
Access & User Management
To access the Slemma application, users must use a unique userid and password combination. Passwords must meet strong password policies and are encrypted in storage so they are never visible to anyone. Too many incorrect login attempts can result in the locking of user’s account to protect against brute force guessing attacks.
Within the application, Slemma has several levels of user roles and permission. This enables the control of creating, editing, viewing, and sharing resources so that one can limit what users with their Slemma account may access. You can read more about our permissions levels here.
Only Admin users can manage the creation and deletion of users and the billing information.
All payment-related services are provided by Stripe, which is widely regarded as one of the most reliable payment processors in the industry. Slemma does not have access to any of your sensitive payment information.
Slemma is PCI Compliant using the SAQ Type A, version 3.2 self-assessment with an Attestation of Compliance from CloudScan. Feel free to contact us for more details.
Security & Vulnerability Scans
Slemma annually has 3rd party companies perform security reviews, pen testing and vulnerability scans on our application. Slemma ensures that controls are in place against common attack patterns like SQL Injection, Clickjacking, formula injection, Cross-site Request Forgery, etc.
Slemma also uses static code analysis tools to detect possible issues in the code.
When sharing Dashboards with your users or customers, Slemma encourages users to set the option that requires authentication with the Slemma application ensuring that dashboards are not visible to the public.
Since we connect directly to your databases, we will never store any of your data. This means that each time you build or view a chart, Slemma runs a query that only pulls what is needed for that visualization. Slemma connects to your databases with read-only permission, this way your data isn’t vulnerable to change. The information in your database can not be altered from inside Slemma. You can choose to connect to a local database, using the reverse SSH tunnel, so your data resides behind a secure firewall and you never have to open a port. For databases that support SSL encrypted connections, Slemma will also accept an SSL certificate. To improve performance, we only cache the returned results of any query that is used to generate a chart. This cache is only temporary and the duration can be changed in settings.
Cloud Storage & 3rd Party Services
Slemma also connects to cloud storage and third-party services. When possible, Slemma accesses data from your services through the secure permission process of oAuth, which means that Slemma never has access to your cloud storage or 3rd party service credentials or even an API key. For most services, a secret API key that you obtain from the 3rd party service is used to access the 3rd party APIs to retrieve data. Slemma will not be able to access your data unless authorized and will only import the data selected by the user. You can revoke Slemma’s access at any time.
Slemma only enables 3rd party service APIs that are read-only, so no data in your 3rd party service can be changed from the Slemma application.
In the Cloud or on Premise
Slemma is a cloud service hosted on AWS with the above mentioned security policies and processes in place.
Some customers may prefer to have even greater control over their data, so Slemma offers a self-hosted or On Premise version of Slemma. This enables customers with even tighter controls the ability host Slemma behind their own firewall on their own network ensuring that their data never leaves their own network.
Here are some key things to know about installing a stand-alone instance:
- As the Slemma instance would be running behind your firewall, your company would have complete control over administrative access to the application.
- No Slemma employees would have access to your instance.
- Your Slemma instance does not access any information from slemma.com.
- You have full control over any/all updates to your instance. Enable new Slemma features according to a schedule that works for your company.