Alyo Security Policy
Alyo software and data hosted in Google Cloud and managed by Alyo and delivered to you as Software as a Service, (“Alyo Software”) is subject to the following Security Policy. If you requested hosting in a different environment or data center, this security policy does not apply.
Storage and Access
All data communications to and from Alyo Software via API or UI through a web browser or mobile client is restricted to SSL encrypted connections. We store passwords only as the result of a secure, salted, one-way encrypted hash. Our APIs support unique access tokens that require secure signatures which is turned on by default.
Alyo is hosted and managed in Google Cloud. Google Cloud data center operations have been accredited under: SOC 1/2/3, CSA STAR, ISO/IEC 27001, ISO/IEC 2700, ISO/IEC 27018, FedRamp, SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c), and PCI DSS. For additional information see cloud data center security details.
Our source code repositories, for both our platform and mobile applications, are continuously analyzed for security issues. Our security engineers participate in secure code training that covers top security flaws, common attack vectors, and security controls. Application security engineers test and guard against threats to reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Path Traversal, Local File Inclusion, SQL Injection, Distributed Denial of Service, among others.
Vulnerability and Penetration Testing
We run vulnerability scans in pre defined schedules test and work with engineering teams to remediate any discovered issues.
In addition to our extensive internal scanning and testing program, we may receive the services of third-party security experts to perform detailed penetration tests on different parts of the application.
Access for management and Support
Our operations staff, will access your account only for required for operations and support reasons which includes responding to support tickets opened by you, a critical security issue or suspected abuse. When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum data needed to resolve your issue.
We support different permission levels for your users to manage your account. Your designated administrator user has full access. You are responsible for actions of your account administrator and any other user defined in your account. Your account administrator can add, delete, and manage users who can access to data within your account and define their user roles and access privileges.
We do not process or store any credit card details belonging to your customers or yourself.