Security Architecture and Policy Overview

Keeping Our Users’ Data Private is an Essential Aspect of Our Business

Our security engineers at Spot by NetApp have invested an enormous amount of time and energy into the establishment of robust security practices. Our security strategy and architecture have been designed in cooperation with the Amazon Web Services SaaS security team. With attention focused on the highest compliance regulations and following industry best practices, we provides robust security to all of our customers.

 

SOC2 CERTIFIED


 

DATA ENCRYPTION

Sensitive data is encrypted at every step:

  1. Spot never receives or transmits unencrypted account information. Spot first encrypts data within the browser then re-encrypt that data with an even more secure algorithm (GPG RSA 3072-bit) once it reaches our servers.
  2. Only a specialized set of servers are able to read the encrypted blobs.
  3. Web traffic is limited to the strictest protocol. All web connections are sent via 256-bit DigiCert High Assurance EV CA-1 SSL.

 

STRICT SECURITY AND KEY MANAGEMENT PROCEDURES

Staff members do not have the ability to decrypt encrypted account data. Spot follows extensive best practices in order to keep customers’ sensitive information secure.

TEAMED WITH AWS, GOOGLE CLOUD, AND MICROSOFT AZURE

Spot is an official solution provider for Amazon Web Services. Find us in the AWS Partners Portal

SECURE DATA CENTERS

Spot’s data is stored on Amazon Web Services data centers that have achieved ISO 27001 certification, PCI DSS Level 1 compliance, and SAS70 Type II.
Learn more about Amazon Web Services security.

STRICT SECURITY AND KEY MANAGEMENT PROCEDURES

Staff members do not have the ability to decrypt encrypted account data, and we use extensive best practices to keep your sensitive information secure. If you’d like more details about our approach to security, we’d be happy to arrange a call with a member of your team:  contact us.


Authenticating and accessing our customers’ cloud accounts

3 STEP AUTHENTICATION PROCESS

Spot does not store any private keys, passwords, or authentication tokens. The authentication is being made based on the IAM Cross Account Role & External ID only.
Figure 1, shows the process of forwarding a user request from the Spot SaaS platform to the customers’ AWS account.

  1. First, the customer authenticates with a secured website. All communication outside of our website is sent via 256-bit DigiCert High Assurance EV CA-1 SSL Certificate.
  2. Next, when the request reaches the Spot servers, the API service communicates via API SDK calls with the customer’s account via IAM Cross Account Role & UUID External IDs.
  3. All calls within the customer’s account are secured via IAM Cross Account Role & UUID External IDs. Meaning, only Spot’s designated AWS account IDs can access this specific IAM Role, and only with an external ID that Spot has generated for the customer upon their registration.

 

Security diagram for Spot access to customer account