Aimably's approach to application and data security adheres to two core principles: data minimalism and industry-normative policies.
Data minimalism, as it pertains to Aimably, is the practice of accessing, collecting and storing only the information required to perform the duties of our software and services. This practice is intended to reduce the impact of any security breach, due the limited nature of the data available during a breach.
Industry-normative policies, as it pertains to Aimably, is the practice of following the already-high standards established by the software-as-a-service industry through legal and normative processes. This practice is intended to give our customers the peace of mind that security breaches are as unlikely to occur with Aimably as with any other business software in use already.
Below, we will describe all our policies in detail.
Data Minimalism Policy
Aimably's operational philosophy is to limit the amount of personal data points collected through the regular use of Aimably. At this time, the following personally-identifiable data points are those currently collected:
- Full Name
- Aimably Password
- Company Name
- Company Email Address
- Company Address
- Company Phone Number
- Company AWS Account Identifier(s)
- Company AWS Role Name Created for Aimably Access
- Company AWS Resource Names
- Company AWS Resource IDs
The following high-risk personally identifiable information is never tracked or recorded in any of Aimably’s internal systems, but is used for data processing by separately hosted third-party applications. The following personal data is only captured by the third party-application(s) who are independently subject to PCI attestation and auditing:
- Credit Card Number (Stripe)
The following high-risk personally identifiable information will never be collected or used by Aimably software, Aimably employees or Aimably-affiliated third-party applications:
- Social Security Number
- Bank Account Information
- Company AWS Individual Login Credentials
System and Organization Controls (SOC) Policy
In order to assure our customers and prospects of the effectiveness of our security policies and procedures, we annually request an independent audit of our company's operations following the AICPA SOC2 standard. We are proud of our results and are happy to share them with our clients. A copy of our SOC2 report is available upon request via the Help Center.
California Consumer Privacy Act (CCPA) Policy
In compliance with the CCPA, Aimably offers users the following privacy rights:
- The right to know about personal information we collect about the user, and how it is used and shared
- The right to delete personal information*
- The right to non-discrimination for exercising CCPA rights
At this time, Aimably does not sell consumers’ personal information. In the event that Aimably adjusts this practice, the option to opt out of sale of personal information will be provided.
In order to exercise your rights under the CCPA, please submit a request at the Aimably Contact Us page.
*In compliance with CCPA, Aimably may reject a request to delete personal information whenever that information is required to maintain an ongoing business contract with the user’s employer.
EU General Data Protection Regulation (GDPR) Policy
In compliance with the GDPR, Aimably offers users the following privacy rights:
- The right to be informed of systems and procedures used by Aimably for processing and maintaining control over user data in the service. This is provided in the Data Processing Addendum.
- The right to delete personal information*
- The right to restrict the use of personal data*
- The right to move one’s data from Aimably to another service
In order to exercise your rights under the GDPR, please submit a request at the Aimably Contact Us page.
*In compliance with GDPR, Aimably may reject a request to delete personal information whenever that information is required to maintain an ongoing business contract with the user’s employer.
Aimably shall, to the extent legally permitted, promptly notify Customer if Aimably receives a request from a Data Subject to exercise the Data Subject’s rights of access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, or objection to the Processing (each a “Data Subject Request”) without itself responding to such request. Taking into account the nature of the Processing, Aimably shall reasonably cooperate with Customer and Controllers in dealing with Data Subject Requests by appropriate technical and organizational measures, in so far as this is possible.
Aimably maintains an information security policy that is approved annually by management and published and communicated to all Aimably employees and relevant third parties. Aimably maintains a dedicated security function on behalf of all affiliated companies to design, maintain, and operate security within the organization. This function focuses on developing policy and procedures for system integrity, risk acceptance, risk analysis and assessment, risk evaluation, risk management and treatment, and statements of applicability.
Other Information Security policies and statements include, many of which are summarized below:
- Acceptable Use
- Data Handling
- Cryptography and Encryption
- Equipment Disposal
- Third-Party/Vendor Risk
- Physical Security
- Incident Response
- Disaster Recovery & Business Continuity
- Access Management
- Secure Application Development
- Infrastructure Hardening
Aimably maintains appropriate systems security for the Aimably Service in accordance with commercially reasonable industry standards and practices designed to protect Customer Data from theft, unauthorized disclosure, and unauthorized access. Such systems security includes, among other things, the following practices and procedures with respect to the Service:
Aimably maintains appropriate practices designed to protect Customer Data in the Aimably Service from system and application vulnerabilities, including:
- Interactive Application Security Testing: Aimably performs application vulnerability scanning on the Aimably Service on a continuous basis.
- Malware Scanning: Aimably performs anti-Malware scanning on externally accessible servers utilized in performing the Aimably Service.
- Patch Management: The hosting provider for the Aimably Service follows documented patch management process and toolset to keep all servers up to date with appropriate security and feature patches.
- Documented Remediation Process: Aimably uses a documented remediation process designed to timely address all identified threats and vulnerabilities with respect to the Aimably Service.
- Secure Coding Practices: Aimably uses secure coding practices as well as automated software testing as part of our deployment and quality assurance program.
The networks, databases, software, and computer systems Aimably employs in performing the Aimably Service are protected by a user name and password system which requires strong passwords which meet industry guidance for strong password construction and maintenance. Where appropriate, commands requiring additional privileges are securely logged (with time and date) to enable a complete audit trail of activities. Aimably promptly terminates all credentials and access to privileged user accounts of an Aimably employee upon termination of his or her employment.
Physical and Environmental Security
The hosting provider for the Aimably Service limits access to the relevant hosting facilities to employees and employee-accompanied visitors using commercially reasonable Internet-industry standard physical security methods. At a minimum, such methods include visitor sign-ins, restricted access key cards or locks for employees, limited access to server rooms and archival backups, and burglar/intrusion alarm systems. Access to all data centers requires multi-factor authentication which is limited to authorized personnel reviewed on a monthly basis.
Security Incident Management
Aimably maintains security incident management policies and procedures, including detailed security incident escalation procedures. Customer will be notified within seventy-two (72) hours of its discovery of a security breach of the Aimably Service that results in the unauthorized disclosure of Customer Data (“Security Breach”). In the event of a Security Breach, Aimably will promptly perform an investigation, take appropriate remedial measures, and provide the Customer with the name of a single security representative who can be reached with security questions or security concerns twenty-four (24) hours per day, seven (7) days per week, during the scope of its investigation.
Aimably maintains a disaster recovery plan in place for its various hosting locations from which Aimably services are performed. Aimably will provide Customer with a copy of its then-current disaster recovery plan promptly following Customer’s written request for same. Aimably will notify Customer regarding the occurrence of any disaster where the disaster recovery plan is invoked. If Aimably’s disaster recovery plan is invoked, Aimably will (a) execute such plan and restore Aimably Service to the Service Availability Service level described in the Customer Agreement in accordance with the requirements of such plan, but no more than one (1) day after invoking such plan subject to hardware availability, and (b) Customer will be treated with at least equal priority as any other customer of the Aimably Service.
Aimably maintains a business continuity plan that is tested on an annual basis to assist in reacting to a disaster in a planned and tested manner. Aimably will provide a copy of its then-current business continuity plan promptly following Customer’s written request for same.
Contingency plans have been developed and implemented to ensure that business processes can be restored within identified time-frames. These plans are to be maintained and practiced so as to become an integral part of all other management processes.