Used by +15,000 powerful teams worldwide
Data at rest
Along with cloud storage buckets, every datastore that contains client data is secured at rest. Row-level encryption is also used by sensitive collections and tables. Consequently, neither physical access to the database nor logical access to the database are sufficient to read the most sensitive data because the data is encrypted even before it reaches the database.
Data in transit
Every time data is transmitted to our services, adam.ai employs TLS 1.2 or a later version. To increase the security of our data while it is in transit, we additionally use features like HSTS (HTTP Strict Transport Security). Cloudflare manages the server TLS keys and certificates, and they are distributed using application load balancers.
Application secrets are securely encrypted and kept in key vault service, with only authorized users having access to these values. Also we leverage detailed audit logs that track who accessed which secrets and when for compliance purposes and for detecting any unusual or unauthorized activity.
A skilled security team at adam.ai frequently performs penetration testing for both minor and significant changes. These audits include every aspect of the adam.ai products, including web applications, mobile applications, and cloud infrastructure, and security engineers have full access to the source code to find security flaws in order to maximize efficacy and coverage.
At crucial points in our Secure Development Lifecycle (SDLC), adam.ai demands vulnerability scanning:
- Code static analysis (SAST) testing is carried out continuously and during pull requests.
- To find known vulnerabilities in our software supply chain, we use software composition analysis (SCA).
- Periodic network vulnerability scanning.
All business devices have mobile device management software installed on them as well as anti-malware security. To enforce secure endpoint configuration, including password manager, disc encryption, screen lock configuration, and software upgrades, we employ MDM software.
Secure remote access
adam.ai protects remote access to internal resources with sophisticated identity-aware-proxy technology, an access tool utilized by the development team for SSH, Kubernetes, databases, internal web applications, and Windows. We avoid phishing by relying on biometrics and machine identification, and its zero-trust design prevents attacker pivots
- adam.ai provides comprehensive security training to all employees upon onboarding and annually through educational modules within the Vanta platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles.
- adam.ai’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.
Identity and access management
- adam.ai secures our identity and access management with Azure AD. We mandate the usage of phishing-resistant authentication factors, and if feasible, we employ SSO.
- Customer data is only accessible to authorized workers who need it for operational and maintenance purposes.
- Employees at adam.ai are allowed access to applications based on their function and are automatically deprovisioned upon cessation of employment. Additional access must be granted in accordance with the policies established for each application.
adam.ai approaches vendor security from a risk-based perspective. A vendor's inherent risk rating is influenced by the following factors:
- Access to customer and corporate data
- Integration with production environments
- Potential harm to the Adam.ai brand
Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.
Failover and disaster recovery
Our whole production infrastructure is structured with redundancies in highly available configurations dispersed across various availability zones. To retrieve crucial data, an auto-backup policy is in place.
Inventory and configuration
Terraform is used to keep infrastructure as code, with modifications happening through a procedure very similar to the application-level software development process. We employ distinct infrastructure for development, staging, and live environments, with no data sharing between them.
Monitoring and logging
- We do thorough monitoring of infrastructure and application performance, which helps us spot problems before many clients do. Automated alerts with on-call schedules are set up, with escalation to all other members of the devops team.
- Our security team use security monitoring to detect and respond to application assaults, abnormalities, and suspicious activity.