Security at Axya
Axya takes the security and privacy of customer data very seriously.
The platform is built considering security as a prerequisite feature. We follow recommended best practices for secure web development, managing cloud infrastructure and training employees. We are working towards pursuing SOC2 compliance certificate to illustrate and verify our security controls partnered with Drata.
The product is a blend of security features like role-based access control, strong authentication, data encryption and integrity. In addition we make sure that the product is available all time. Customers have full control on the data over the platform as with whom the data is to be shared with what permissions.
Our product design is built on role-based access control for proper separation of authorization to access information that is we have strict and separate permissions for buyers, sellers and admins.
All the data over our platform is encrypted be it in rest or transit. Data in rest is encrypted using industry-standard 256-bit Advanced Encryption Standard (AES-256) encryption algorithm, while data in transit is SSL/TLS protected.
We ensure that the platform is available 24/7 to authorized persons. We monitor all the crucial aspects that may lead to downtime and have set up multiple mediums through which the alerts are delivered, so that proper actions are taken to avoid downtime. We also use automation tech to have a complete new deployment pipeline for worst case scenarios.
We use reputed and secure AWS cloud services. Our cloud infrastructure is configured based on the recommended secure practices suggested by AWS.
The cloud is accessed only by authorized and trained employees. We follow the principle of least privilege that is employees are provided with minimum required permissions to carry out the task. We use AWS services and data centers situated in the Canada region over multiple availability zones.
Web application security
We use a defense-in-depth strategy to protect our cloud components hosting our application and holding customer data. Multiple defense layers consist of a firewall (WAF) which has rules for detection and prevention of DDoS, XSS, SQL injection, HTTP flooding, blocking scanners and probes, blacklisting malicious IP, etc., next there are security groups that limit access to the critical ports, scheduled server patching, etc.
Disaster and Incident handling
We formulated our tech considering disaster recovery possibilities. We back up our customer data in real-time and all backups are encrypted. We also have a system in place to protect from accidental deletion of data as well as to ensure data integrity. We also continuously monitor our cloud infrastructure using multiple tools like Cloudwatch, Prometheus, etc. In addition, we have also set up multiple channels to communicate the alerts, so that the remediation actions are taken quickly.
Our application is developed following the best security practices recommended for web application development. Our developers are trained with these practices and are regularly made aware of the new security practices. We have initiatives like performing application security reviews, conducting vulnerability testing, etc. so as to ensure that the application is bug-free and secure throughout our software development lifecycle.
Our application is developed using well-known secure open-source frameworks which have features to implement controls to mitigate risks like SQLi, XSS, CSRF, etc listed by OWASP. We also have scheduled processes for finding and fixing application vulnerabilities.
Testing environments and QA
We use separate environments for testing and production. Before the deployment of any new feature in production, the feature is thoroughly tested over multiple environments and multiple rounds of QA tests are performed until satisfactory secure performance is achieved.
At Axya we make sure to perform employees' background checks as well as ensure that all the employees understand and practice good security hygiene.
All employees are provided security training as a part of the onboarding process and are also trained on a regular basis.
Policies and confidentiality
We have developed policies which help to regulate the overall security of the company which are reviewed and refined annually. All the employees are bound by the confidentiality agreement.