SECURITY AND TRUST

Security 2017-09-26T18:06:14+00:00

Slemma understands that the confidentiality and integrity of our customers’ information is vital to their business operations. It’s important to our customer that they feel confident that their company’s competitive data is secure and can not be accessed by anyone else. This is why the security of our client’s information is our top priority. We use a multi-layered approach to protect valuable information that comes through Slemma.

A Data Center We Trust

The Slemma.com application is hosted on the Amazon Web Services platform, the undisputed market leader in Cloud Computing. AWS is protected by industry-standard security measures ensuring all hardware and networks meet strict controls. You can read more about Amazon Web Services hereStringent security and firewall policies are utilized in the Slemma AWS setup to ensure all Slemma AWS resources are well protected.

Slemma maintains strict access control policies for any Slemma administrators that are necessary to maintain the Slemma application on the AWS servers.

Data Encryption

Connections to the Slemma application site are encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_256_GCM) ensuring that all of your data is secure in transmissions to and from Slemma.

Policies

Slemma has privacy and security-conscious policies that apply to all of our information handling practices. Learn more

Access & User Management

To access the Slemma application, users must use a unique userid and password combination. Passwords must meet strong password policies and are encrypted in storage so they are never visible to anyone. Too many incorrect login attempts can result in the locking of user’s account to protect against brute force guessing attacks.

Within the application, Slemma has several levels of user roles and permission. This enables the control of creating, editing, viewing, and sharing resources so that one can limit what users with their Slemma account may access. You can read more about our permissions levels here

Only Admin users can manage the creation and deletion of users and the billing information.

Payment Processing

All payment-related services are provided by Stripe, which is widely regarded as one of the most reliable payment processors in the industry. Slemma does not have access to any of your sensitive payment information.

Slemma is PCI Compliant using the SAQ Type A, version 3.2 self-assessment  with an Attestation of Compliance from CloudScan. Feel free to contact us for more details.

stripe logo

Security & Vulnerability Scans

Slemma annually has 3rd party companies perform security reviews, pen testing and vulnerability scans on our application. Slemma ensures that controls are in place against common attack patterns like SQL Injection, Clickjacking, formula injection, Cross-site Request Forgery, etc.

Slemma also uses static code analysis tools to detect possible issues in the code.

DATA ACCESS

Dashboards

When sharing Dashboards with your users or customers, Slemma encourages users to set the option that requires authentication with the Slemma application ensuring that dashboards are not visible to the public.

Databases

Since we connect directly to your databases, we will never store any of your data. This means that each time you build or view a chart, Slemma runs a query that only pulls what is needed for that visualization. Slemma connects to your databases with read-only permission, this way your data isn’t vulnerable to change. The information in your database can not be altered from inside Slemma. You can choose to connect to a local database, using the reverse SSH tunnel, so your data resides behind a secure firewall and you never have to open a port. For databases that support SSL encrypted connections, Slemma will also accept an SSL certificate. To improve performance, we only cache the returned results of any query that is used to generate a chart. This cache is only temporary and the duration can be changed in settings.

Cloud Storage & 3rd Party Services

Slemma also connects to cloud storage and third-party services. When possible, Slemma accesses data from your services through the secure permission process of oAuth, which means that Slemma never has access to your cloud storage or 3rd party service credentials or even an API key. For most services, a secret API key that you obtain from the 3rd party service is used to access the 3rd party APIs to retrieve data. Slemma will not be able to access your data unless authorized and will only import the data selected by the user. You can revoke Slemma’s access at any time.

Slemma only enables 3rd party service APIs that are read-only, so no data in your 3rd party service can be changed from the Slemma application.

In the Cloud or on Premise

Slemma is a cloud service hosted on AWS with the above mentioned security policies and processes in place.

Some customers may prefer to have even greater control over their data,  so Slemma offers a self-hosted or On Premise version of Slemma. This enables customers with even tighter controls the ability host Slemma behind their own firewall on their own network ensuring that their data never leaves their own network.

Here are some key things to know about installing a stand-alone instance:

  • As the Slemma instance would be running behind your firewall, your company would have complete control over administrative access to the application.
  • No Slemma employees would have access to your instance.
  • Your Slemma instance does not access any information from slemma.com.
  • You have full control over any/all updates to your instance. Enable  new Slemma features according to a schedule that works for your company.
CONTACT US FOR HIGHER SECURITY FEATURES

Drop us a line at welcome@slemma.com  if you would like Slemma to be installed on your servers or a private cloud.

Have a question about Slemma security?
Email us at help@slemma.com