Security and privacy at windsor.ai
Security is at the heart of what we do – helping our customers automate their data-flows is done with the highest security standards.
Windsor.ai’s Security and Privacy teams establish policies and controls, monitor compliance with those controls, and prove our security and compliance to third-party auditors.
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
Security controls should be implemented and layered according to the principle of defense-in-depth.
Security controls should be applied consistently across all areas of the enterprise.
The implementation of controls should be iterative, continuously maturing across the dimensions of improved effectiveness, increased auditability, and decreased friction.
Data in transit
Vanta uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
Encryption keys are managed via ansible Vault so no employee can gain access to sensitive data.
Malicious dependency scanning to prevent the introduction of malware into our software supply chain
Dynamic analysis (DAST) of running applications
Network vulnerability scanning on a period basis
External attack surface management (EASM) continuously running to discover new external-facing assets
Vanta provides comprehensive security training to all employees upon onboarding and annually through educational modules within Vanta’s own platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.
Vanta’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.