Security at Axya

Axya takes the security and privacy of customer data very seriously.

The platform is built considering security as a prerequisite feature. We follow recommended best practices for secure web development, managing cloud infrastructure and training employees. We are working towards pursuing SOC2 compliance certificate to illustrate and verify our security controls partnered with Drata.

Product Security

The product is a blend of security features like role-based access control, strong authentication, data encryption and integrity. In addition we make sure that the product is available all time. Customers have full control on the data over the platform as with whom the data is to be shared with what permissions.

Access control

Our product design is built on role-based access control for proper separation of authorization to access information that is we have strict and separate permissions for buyers, sellers and admins.

Confidentiality

All the data over our platform is encrypted be it in rest or transit. Data in rest is encrypted using industry-standard 256-bit Advanced Encryption Standard (AES-256) encryption algorithm, while data in transit is SSL/TLS protected.

Availability

We ensure that the platform is available 24/7 to authorized persons. We monitor all the crucial aspects that may lead to downtime and have set up multiple mediums through which the alerts are delivered, so that proper actions are taken to avoid downtime. We also use automation tech to have a complete new deployment pipeline for worst case scenarios.


Cloud Security

We use reputed and secure AWS cloud services. Our cloud infrastructure is configured based on the recommended secure practices suggested by AWS.

Access permission

The cloud is accessed only by authorized and trained employees. We follow the principle of least privilege that is employees are provided with minimum required permissions to carry out the task. We use AWS services and data centers situated in the Canada region over multiple availability zones.

Web application security

We use a defense-in-depth strategy to protect our cloud components hosting our application and holding customer data. Multiple defense layers consist of a firewall (WAF) which has rules for detection and prevention of DDoS, XSS, SQL injection, HTTP flooding, blocking scanners and probes, blacklisting malicious IP, etc., next there are security groups that limit access to the critical ports, scheduled server patching, etc.

Disaster and Incident handling

We formulated our tech considering disaster recovery possibilities. We back up our customer data in real-time and all backups are encrypted. We also have a system in place to protect from accidental deletion of data as well as to ensure data integrity. We also continuously monitor our cloud infrastructure using multiple tools like Cloudwatch, Prometheus, etc. In addition, we have also set up multiple channels to communicate the alerts, so that the remediation actions are taken quickly.

Application Security

Our application is developed following the best security practices recommended for web application development. Our developers are trained with these practices and are regularly made aware of the new security practices. We have initiatives like performing application security reviews, conducting vulnerability testing, etc. so as to ensure that the application is bug-free and secure throughout our software development lifecycle.

Secure development

Our application is developed using well-known secure open-source frameworks which have features to implement controls to mitigate risks like SQLi, XSS, CSRF, etc listed by OWASP. We also have scheduled processes for finding and fixing application vulnerabilities.

Testing environments and QA

We use separate environments for testing and production. Before the deployment of any new feature in production, the feature is thoroughly tested over multiple environments and multiple rounds of QA tests are performed until satisfactory secure performance is achieved.


HR Security

At Axya we make sure to perform employees' background checks as well as ensure that all the employees understand and practice good security hygiene.

Training

All employees are provided security training as a part of the onboarding process and are also trained on a regular basis.

Policies and confidentiality

We have developed policies which help to regulate the overall security of the company which are reviewed and refined annually. All the employees are bound by the confidentiality agreement.

Contact Us

If you have any questions regarding our platform security or if you suspect you have found any vulnerability on our application, please contact us at security@axya.co