Security Statement

Effective as of November 2020.

Strigo is committed to the security of your data. We use a variety of industry-standard security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. You also have several security controls available within Strigo.

Overview

To protect your information, data is:

  • Transmitted via HTTPS and WSS.
  • Accessed through the password-protected Strigo website or via APIs that require token authentication.
  • Stored in an ISO 27001 and FISMA certified data center.

Access Control

Users can access the Strigo application by visiting https://app.strigo.io via a web browser. All data is sent via HTTPS. Website access is available via username and password authentication or by SSO.

Strigo uses an industry-standard, encrypted token for session-level authentication. Strigo user passwords are stored in an industry-standard, encrypted hash format. Strigo enforces an automatic session timeout after a fixed period of inactivity.

Customers can access only the data for their own organization. Organizations can grant access to users by inviting them into Strigo.

Strigo Employee Access

Strigo personnel access customer data only on a need-to-know basis for support purposes. All support personnel have signed Non-Disclosure Agreements, and no changes are ever made to an account without prior approval from the customer.

Access of Strigo personnel to sensitive internal services is governed by a 2FA policy.

Software Development Lifecycle

Strigo uses the git revision control system. We run a series of tests throughout the software development lifecycle, including automated tests and a process of automatic vulnerability analysis. These are also manually reviewed. When code changes pass the automated processes, the changes are first pushed to staging servers wherein Strigo employees test the changes before an eventual push to the production servers and to the customer base. An additional security review is also conducted when there are particularly sensitive changes.

Scalability/Reliability of Architecture

Strigo data centers are hosted on Amazon Web Services (AWS). The IT infrastructure that AWS provides is designed and managed in alignment with security best practices, including the following IT security standards:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3

Physical access to the data centers is strictly controlled both at the perimeter and at building ingress points by professional security staff, using video surveillance, state of the art intrusion detection systems, biometric locks, and other electronic means.

For more information, refer to the AWS Security White Paper.

The database is replicated synchronously so that we can quickly recover from a database failure. As an extra precaution, we take regular snapshots of the database so that we can restore it as needed.

Data Security

  • Data stored in Strigo’s database is encrypted at rest.
  • All data traffic is encrypted at transit.
  • Personal customer data is stored in the Strigo databases that are located in Western Europe.
  • The servers providing Strigo’s service are located in Western Europe as well.
  • Additional servers that relay data from end-user browsers to remote virtual labs are located in the US, Europe, Singapore and Australia. Only data regarding the interaction of the users with the virtual labs goes these servers.

Availability

We are committed to making Strigo consistently available to you. Our systems are constantly monitored to keep your work uninterrupted. You can verify our availability at all times on our status page.

Want to report a security concern?

Email us at security@strigo.io.