Cerego takes cyber security very seriously. Our team is committed to reaching the highest standards required to protect the sensitive data of today's businesses and educational and governmental institutions. We strive to ensure that your data is handled securely and utilize the most advanced technology for Internet security that is available today.
Physical Security & Hosting:
Cerego is entirely hosted within the AWS cloud. We host our commercial offerings strictly in US regions and our federal and military services in the AWS GovCloud, all using AWS Best Practices.
Data Encryption:
Cerego requires TLSv1.2+ encryption for all in-transit communication and AWS KMS default encryption, which is currently using 256-bit AES-GCM encryption keys for data stored at rest.
Security Compliance:
Cerego has achieved DFARS 252.204-7012 compliance in our AWS Govcloud region in order to store Controlled Unclassified Information (CUI)).
User Authentication:
Access to Cerego platform is provided by a combination of a username or email and a password, or through OAuth 2.0 based authentication strategy. We never store your passwords in plaintext, and all passwords are individually salted and hashed using one of the highest standards for password protection, the Blowfish algorithm. Sessions are maintained using an encrypted cookie utilizing the latest OWASP recommendations for session management.
User Permissions and Access scoping:
All permissions to resources within our system are managed by a role based permission system which vets each endpoint and only serves appropriate content to the authenticated account. Multiple tiers of roles allow you to finely control and tailor access to management tasks within your organizational account.
Sensitive Data:
Cerego neither collects nor stores any sensitive data such as government issued ID numbers, credit card or financial information, or health records.
Logging and Auditing:
Cerego uses a centralized logging solution in order to manage all access logs and provide a reliable audit trail.
Availability:
All Cerego services are provided using auto-scaling servers and automated self-healing failovers. We guarantee 99.9% uptime to all of our clients. We monitor all of our services continuously and have numerous automated checks that alert our engineering team in the event of an incident. You can see a recent history and track the status of our services at https://status.cerego.com.
Data Recovery:
All Cerego customer data is hosted in a highly available encrypted database and automatically backed up and archived using AWS best practices. Cerego constantly tests the data recovery of our encrypted automated backups.
Data Privacy:
Cerego is committed to protecting your sensitive data, and we will never share your data with third-party services without your consent.
Testing:
Cerego tests all changes in a dedicated replica of our production environment. Our engineering team uses Test Driven Development (TDD) practices to ensure our APIs are verified against a suite of thousands of automated tests that are continuously running.
Employee Workstation Security:
Cerego mandates full disk encryption and anti-virus and anti-malware software for all employee workstations.
Employee Access Reviews:
Cerego performs regular access reviews of employee privileges to ensure that as employee roles change over time their privileges are updated and in sync.
Administrative Access:
Cerego uses SSH keys, enforced two-factor authentication, and IP restriction for administrative access to its infrastructure.
Vulnerability testing:
Cerego performs continuous vulnerability testing against our application on every major release and for newly released vulnerabilities.
Secure Coding:
Cerego adopts secure coding principles during development. All code being checked in is reviewed for security weaknesses by both humans and automated scanning tools.
Least Privilege:
Cerego follows the principle of least privilege as a general model within the business. Where employees do not require access to information or systems, they are not given it.