Security Matters to Us
Security is one of our biggest priorities here at Vectara. On this page we have provided information about the security of your data, our general security practices, and how you can reach a member of the security team if you have questions that haven’t been answered below.
The Vectara platform safeguards customer data using a variety of controls:
- Vectara application data is secured in transit using TLS, and encrypted at rest in Vectara’s storage tiers.
- The Vectara application logically separates user data, and access to your data is protected by strong authentication and authorization controls.
- Vectara audits changes to the application throughout the development lifecycle: architecture reviews are performed as well as consistent code review processes.
- Vectara monitors application servers, infrastructure, and the Vectara network environment to detect potential abuse.
- Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.
- Additionally, our cloud service provider Amazon Web Services (AWS) regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP and many others.
Key Security Features
We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data. We make HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free for every customer. Our HTTPS implementation uses industry standard algorithms and certificates. We store user passwords using well-validated technical approaches and policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and configuration options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access
Public product APIs may be accessed using an API key or through other secure access methods.
Role-based access control
Vectara allows you to assign role-specific access and permission to user entities in Vectara products.
We use strong encryption standards to protect your data, both when it’s in transit and within the Vectara network, as well as when it is at rest within the Vectara cloud.
System monitoring and key activities related to billing, security, access and account management are securely logged.
We contract our digital hardware to cloud vendors that adhere to the applicable data regulations and compliances. Our infrastructure runs on data centers provided by Amazon Web Services (AWS), which is SOC2 and PCI Level 1 certified among others. AWS has a number of security and privacy focused features that we leverage wherever applicable.
The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Our infrastructure runs on stable, regularly patched, versions of operating system images with carefully configured security groups, isolated VPC environments with well-defined network segmentation, role-based access control, and advanced web application firewall protection.
All customer data is stored in securely configured data storage tiers. All customer data is encrypted at the server-side before and during storage. Optionally, client managed encryption keys are supported. Data can be stored with at least dual redundancy and with regular backups. Different Vectara plans have different security features, which are outlined on the Vectara pricing page. We maintain all internal testing and validation data in a production-stack equivalent internal stack. Vectara does not distribute actual customer data for internal testing or validation purposes.
Physical and Environmental Security
We rely on Amazon Web Services (AWS) to manage the physical and environmental security of our data centers. Our internal security program covers physical security at our offices.
For more details, please review AWS control and security measures.
Our security team sets architectural guidelines, conducts code reviews, and reviews deployment of software systems that can interface with customer data. Our developers are trained with specific attention toward security. Our code review processes look for any code that could potentially violate security policies.
We process all payments using Stripe, which has been certified as a PCI Level 1 Service Provider.
Vectara hosts our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements and privacy policies in order to protect data processed or stored by these vendors.
In addition to our regular security reviews, we partner with trusted third-party security companies to perform annual penetration tests across our product ecosystem.
Preventing Unauthorized Product Use
In addition to the elastic scaling capacity of our compute instances to mitigate interruptions at the application layer, we implement industry standard access controls and detection capabilities for the internal networks that support Vectara products.
- Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted internet-accessible application software. The WAF is designed to identify and prevent attacks against publicly available network services.
- Logs: Vectara logs activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and archived in encrypted storage. We implement measures to detect and prevent log tampering or interruptions.
- Background checks: All Vectara employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Vectara employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
- Product access: A subset of our employees have access to the products and to stored data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Employees are granted access by role, and access is reviewed routinely.
Vectara designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
We have policies and procedures to address service availability, integrity, security, privacy, and confidentiality issues. Our stated processes include:
- Promptly respond to alerts of potential incidents
- Determine the severity of the incident
- Analyze and assess the extent of the incident
- If necessary, execute mitigation and containment measures
- Communicate with relevant internal and external stakeholders, including notifying affected customers to comply with relevant laws and regulations and to meet contractual obligations around breach or incident notifications
- Gather and preserve evidence for investigative efforts
- Conduct and document a postmortem and develop a permanent triage plan
- The incident response policies and processes are actively reviewed as part of our ongoing efforts to comply with SOC 2 and other security assessments.
General Security Questions
If you have general security questions or concerns, please email us at [email protected].