Security at APOLLO
Security is a top priority at APOLLO and we live it in our day-to-day activities. Our Senior Management team is accountable for security and ensures that security capabilities and competence exist in all levels of our business. As a whole, we follow a holistic and collaborative approach to guarantee the confidentiality, availability, and integrity of your data. On this page, you can read about the various policies and security measures taken by APOLLO to secure user content and data hosted on our platform from unauthorized access.
How we protect your content
Our infrastructure runs purely on Amazon Web Services (AWS), which delivers infrastructure as a service with prime security capabilities.
SOC 2 Type 2 compliant data centers
The data centers used for storing your content and allowing it to be delivered to your users are also certified for compliance with the SOC 2 Type 2 standard.
Data storage and encryption at rest
Your data is encrypted at rest in AWS S3 buckets, AWS DynamoDB and block devices used by AWS EC2 instances. AES256 encryption is used by default via AWS’ encryption services, while key management is handled by AWS KMS. This ensures the content is preserved and safe from prying eyes and manipulation.
Encryption in transit
All communication between you, your services and APOLLO, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. In addition, data is also encrypted during transit between APOLLO and our Content Delivery Networks (CDNs). This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.
Annual penetration tests
Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerability found are fixed based our specifications in an internal SLA.
All our data, including S3 buckets and database point-in-time backups, is replicated between multiple regions thanks to the use of AWS. Backup data is encrypted at rest using AES-256 encryption with keys provided by AWS KMS.
Access to data
Access to your data is restricted via roles and permissions. All actions are recorded, audited and monitored.
We do not have data centers. Physical security to our servers and to your data is managed by AWS security certifications. Physical security at our offices is also governed by FOB access control.
Networking in the cloud is very different from the standard data center. All communications to and from our servers are controlled by tight security groups, an AWS security feature for stateful firewalling.
Web Application Firewall
Applications available on the internet are constantly under threat of attacks. One of the protections implemented to protect our application endpoints is a Web Application Firewall.
Provided by AWS GuardDuty, we monitor and respond to threats when they happen. We detect inbound and outbound connections from and to known malicious IP addresses, unusual or unauthorized activities in our AWS accounts and much more. We deploy DataDome to monitor and respond to various malicious attacks, such as DDos. We employ a 3rd party 24/7 SOC for threat investigation and remediation.
To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection. We also constantly monitor our SSL configuration rating, where we target to a minimum of an A grade for all our general domains and an A+ for all domains under our full control.
Data retention policy
Your data lives in our servers for as long as you need them. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement. All application logs are live for a minimum of 365 days.
Brute force protection
To prevent your account to be compromised by brute forcing our web application and APIs, we use DataDome, an industry leader in Bot and Fraud detection.
Monitoring and reporting
Cloud Trails are turned for all environments that can be quickly followed in security audits.
Two-factor authentication (2FA)
Users can protect their APOLLO data through two-factor authentication via email.
How we keep our service reliable
Our infrastructure runs in Amazon Web Services, using serverless or managed services. AWS is an industry leader and its industry leading platform is minimizing disruptions caused by any failure and keeping your content constantly available and secure.
Distributed denial of service (DDOS) protection
Our APIs and web application are protected in multiple ways against denial of service attacks. AWS provides volumetric denial of service protection through AWS Shield and high availability services. Our security CDN performs application-layer denial of service protection alongside web application firewall protection.
Disaster recovery and business continuity
APOLLO utilizes database replication architectures to ensure redundancy and uptime. S3 buckets are all versioned. With point-in-time recovery, we can restore that table to any point in time during the last 35 days. Each key service layer has redundant components, such as multiple servers that provide the same service and content, to ensure any failures do not impact the rest of the system. Data centers are also equipped with controls to enforce physical security and protection against environmental hazards
How we keep our code secure
All vulnerabilities are managed internally and each vulnerability gets a severity assigned. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, while progress is tracked by tools and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.
Code peer review
Our development process is based on BitBucket’s pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle. Our developers and engineers are also heavy practitioners of pair programming, which lets them detect bugs and vulnerabilities more effectively before code makes it into the final product.
Automatic static code analysis
When code is committed to BitBucket, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies. Dependency management is performed locally per repository and via SonaCloud as part of the automated deployment pipeline, where all dependencies are tagged by version and downloaded from reputable sources over encrypted HTTPS.
Quality Assurance (QA)
Once the code is ready to be tested, it is deployed to our testing environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different AWS account that is configured with different domain names to ensure complete separation from production.
Security is part of the Product organization and influences the product roadmap and specific features. We implement the philosophy of “security by design” where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.
How we secure our business
Security monitoring and Incident Management
APOLLO continually looks out for any indicators that could potentially lead to incidents. To supplement this, any event-alerting tools we use also escalate into OpsGenie rotations to APOLLO’s engineering team 24x7. We also maintain an incident response plan that details ways to address an incident, including the processes of notification, escalation, managing and reporting as a result of an incident.
Security awareness program
All APOLLO employees and contracted third-parties are required to comply with APOLLO policies relevant to their scope of work, including security and data privacy policies. Our standard work contract includes confidentiality clauses. APOLLO ensures its employees undergo regular security and privacy training.
Credit card/payment security
APOLLO uses Stripe to process credit card payments, which means that no credit card information or related payment information is stored on our servers. Stripe enforces stringent PCI DSS (Payment Card Industry) compliance criteria to ensure that any data stored and/or processed on its servers is handled in a secure way and is also SOC 2 Type 2 certified.
In addition to privacy and safety measures, Stripe employs an extensive range of checks designed to minimize payment fraud and unauthorized access. These checks include 3D-Secure authorization, credit card background checks, flagging suspicious transactions for manual verification, and real-time monitoring of payment transactions with automated anti-fraud algorithms.
Password managers and policy
To ensure an acceptable level of password security, we have an existing password policy in place. Passwords that are too generic are not allowed while the use of unique passwords per website is strongly advised. We also encourage the use of password managers, that help make it easier and safer for you to keep track of your credentials.
Vendor security management
Every technology, SaaS or tool is assessed to ensure a good understanding of the risks involved. Confidentiality and non-disclosure agreements are required when sharing any sort of confidential information, that could be sensitive, proprietary and/or personal in nature, between APOLLO and an external third-party. Any third-party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments based on their level of access and handling of information.
The use of multi-factor authentication (MFA) is enforced throughout the main services APOLLO relies on. The use of MFA provides an additional measure for verifying a user’s claimed identity over the use of just a password. Currently, the minimum requirement for our MFA implementation is the use of a password combined with an access token (for instance, a code provided by Duo Mobile). MFA is also mandatorily enforced for AWS and BitBucket access.
How you can protect your data
While all activities relevant to content and data traversing the Internet are conducted with HTTPS enforced on APOLLO’s side, we absolutely recommend that customers and users also enforce HTTPS so that content and data integrity is maintained and free from manipulation as it is served from our service to your users’ machines. The use of HTTPS websites also safeguards your important data and credentials away from the view of unauthorized third-parties.
Secure password for signing up with APOLLO
In order to sign up with APOLLO, it is required to create a secure password that is a minimum of 8 characters and has a combination of alphabets, numbers, and special characters such as ‘@,!.#._’ and so on.
In case of a security incident
Incidents can happen to anyone — we are ready for such an event when it happens. We manage security incidents via a documented process, which includes notification of and cooperation with customers, data protection authorities, and law enforcement. APOLLO will notify affected customers without undue delay following incident detection, where we share a preliminary assessment of the incident and are open to cooperation.