Security Measures

Last Updated: December 18, 2021

Personnel Security

  • Confidentiality – Appointlet personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Appointlet’s internal policies.
  • Security Education and Awareness Training – Appointlet personnel are required to attend security and privacy training upon hire and annually thereafter.

Organizational Security

  • Access Controls – Appointlet implements access provisioning based on the principle of least privilege and access removal controls promptly on termination. These controls are reviewed company-wide twice annually.
  • Multi-factor Authentication (MFA) – Appointlet employs multi-factor authentication for access across our production environment and internal systems containing Customer Data.
  • Passwords – Appointlet requires and enforces password complexity requirements where passwords are employed for authentication (e.g., login to workstations). These requirements include restrictions on password reuse and sufficient password strength.
  • Information Security Appointlet personnel are required to acknowledge and comply with Appointlet Information Security policies and standards. Noncompliance is subject to disciplinary action, up to and including termination of employment.
  • Monitoring and Incident Response – Appointlet maintains incident detection capabilities and a documented incident response program. In the event of an incident, Appointlet will promptly take reasonable steps to minimize harm and secure Customer Data.

Data Hosting & Practices

  • Industry Standard Encryption – Data in transit is encrypted using TLS 1.2+, and data at rest is encrypted using AES-256. Appointlet hashes user passwords with PBKDF2 before storing them in an encrypted database.
  • Retention and Deletion – Appointlet maintains backup data for up to 7 days after any data has been deleted by an end user. After that period the data is permanently deleted.
  • Storage Appointlet stores data in a multi-tenant environment hosted on AWS servers and logically isolates Customer Data.
  • Data Centers – Appointlet hosts data on Amazon Web Services (AWS), which maintains internationally recognized world-class compliance certifications and reports. AWS maintains industry-leading security practices, offers state-of-the art environmental and physical protection for the services and infrastructure that comprise Appointlet’s operating environment.
  • Backups – Appointlet conducts periodic database backups. Backups are retained for 7 days during the normal course of operations.
  • Replication – Appointlet also replicates databases and database backups in alternate availability zones. We perform regular backups and restoration testing.
  • Redundancy – Appointlet’s infrastructure has been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. This design allows Appointlet to perform maintenance and improvements of the infrastructure with minimal impact on the production systems.

Network Protection

  • Firewalls – Appointlet configures firewalls according to industry best practices and unnecessary ports and protocols are blocked by configuring AWS Security Groups and NACL (Network Access Control Lists). Configurations are regularly monitored using automated cloud security posture management tools.
  • Monitoring, Logging, and Alerting – Appointlet logs application logs to monitor for any suspicious activity. This is done using an SIEM (Security Incident and Event Management) tool. All alerts are triaged by Appointlet’s Security Team and a security incident is raised after log introspection.

Subprocessors

  • Confidentiality – Appointlet takes appropriate steps to ensure our security posture is maintained by establishing agreements that require subprocessors and service organizations to adhere to confidentiality commitments.

Security Certifications and Reports

  • Penetration Testing – Appointlet engages with independent third party firms to conduct application-level and network-level penetration tests at least annually. Results of these tests are shared with senior management, triaged, prioritized, and remediated in a timely manner.
  • Independent Security Disclosure Program – Appointlet runs a “Bug Bounty” program for independent security auditors designed to allow security professionals to disclose security issues through appropriate channels so that we can resolve them promptly. More information can be found here.