This security policy describes our technical standards with respect to the website www.aureliuslab.com, the domain aureliuslab.com, and all subdomains or subapplications created by Aurelius Lab, LLC (“Aurelius”, “We” or “Us”). “You” or “Your” refers to you the user of our site or services, regardless of whether you a natural person or an entity.
Your data is only as secure as your users. Aurelius uses a variety of strong encryption and security techniques to help protect you and your data. Please ensure your users are using strong passwords, and do not invite unauthorized users into your company’s account. Aurelius uses end-to-end Transport Layer Security cryptographic protocols. All data is encrypted and protected all the way from your browser, to our servers, to our databases and back again. This encryption protocol is used to safeguard your sensitive personal information, including your credit card number during online transactions. There are no communications that are ever sent in plain text. Additionally we serve all our apps over HTTPS/2.
Aurelius never stores your payment information and all information is sent to Stripe using TLS 1.2 (or above) encryption. We currently use PCI compliant payment processor Stripe for encrypting and processing credit card payments, and all transactions are completed in a PCI compliant manner.
Aurelius is protected from DDoS attacks using mitigation techniques including TCP Syn cookies and connection rate limiting. This prevents attacks from threatening service performance or shutting down our websites entirely, even for a short time.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked. This prevents attackers from identifying network services running on our host.
Our secure data centers utilize the Google Cloud technology. Google continually manages risk and undergo recurring assessments to ensure compliance with industry standards. Google’s data center operations have been accredited under (without limitation):
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
All application data is backed up daily at minimum, and can be restored in the event of a disaster. You can rest assured that even a natural disaster will not compromise your data you put into Aurelius.
To prevent unauthorized account access we enforce strong user passwords, and use a strong password encryption algorithm which prevents reverse engineering and attacks. In addition, all personal user account information is further encrypted during transmission and authenticated via JSON Web Tokens. JWTs are an open, industry standard RFC 7519 method for representing claims securely between two parties utilizing a symmetric encryption algorithm. Users should not divulge their passwords to anyone. Aurelius will never ask you for your password in any phone call or unsolicited e-mail.
When entering information into Aurelius or contacting Aurelius through any method of communication (phone call, email, web form, etc.) you must determine whether the method of communication is adequately secure for your purposes prior to providing any PII or other confidential information. Any PII or confidential information sent by the user is sent at the users own risk.
Aurelius frequently runs internal penetration testing upon its servers to evaluate the security of the system. These tests are performed to identify both weaknesses, including the potential for unauthorized parties to gain access to the system's features and data. Rest assured that your data is safe. At any time and without prior notice, we reserve the right to examine E-Mail records, personal file directories, and other information stored on our servers. This examination assures compliance with company policies, regulatory schemes, and supports the performance of internal investigations, and assists with the management of our information systems.
We at our sole discretion reserve the right to amend any of the protocols described in this policy, and will update this document accordingly when we do so. We will make all reasonable efforts to inform you if this policy is amended, but it is your sole responsibility to be aware of the latest contents of this policy by periodically checking our site.