🛡️

Security

🔐The privacy and security of your data is our top priority.

Overview

With digital adoption and transformation taking place around us and the pace of data consumption and requirement for the availability of data on the go, it is important that you have access to your data in an organized manner. Needl.ai provides its users (a) secure cloud data storage (b) personal search engine (c) security and privacy by design architecture (d) security and privacy by design architecture. While data on the go is a primary requirement for many users, data security and privacy by design is the need of the hour for many and especially working professionals.

Needl.ai is a solution, and its architecture is designed with the primary goal of making organized data available to the Users while ensuring data security and privacy by design architecture.

At the core of Needl.ai solution is our security and privacy by design architecture, comprehensive security program, multilayered approach to security.

This whitepaper describes in a simple manner Needl.ai product security features, operational security measures, security and privacy by design architecture, independent certifications, and regulatory compliance measures to help Needl.ai to provide you with a reliable data solution.

Certification

ISO/IEC 27001: 2013 certification

Needl.ai is accredited with ISO/IEC 27001: 2013 certification. In terms of this certification, the Information Security Management System (ISMS) of Needl.ai covers the protection of information security, in its business operation that involves delivering services to its clients in the form of collating, analysis and present all data from public and private sources into a personal vault specified by the Client on the cloud designed, developed, and administered by Needl.ai

SOC 2, Type 1 certification

This certification provides a reasonable assurance that Needl.ai service commitments and system requirements are achieved based on the trust service criteria relevant to Security, Availability, Confidentiality, Privacy and Processing Integrity, outlined in TSP section 100, 2017 Trust Service Criteria for Security, Availability, Confidentiality, Privacy and Processing Integrity (AICPA, Trust Service Criteria).

Needl.ai infrastructure

Physical access control and logical access control

Needl.ai infrastructure can broadly be identified as physical access and logical access. While physical access to Needl.ai resources is managed through AWS (sub-service organization), logical access is managed by Needl.ai

Needl.ai infrastructure is designed, implemented and operated to achieve its business objectives. Needl.ai uses AWS as IaaS, PaaS, DaaS. Needl.ai application, as well as Your data, is hosted securely behind the robust infrastructure of AWS.

Needl.ai uses role-based security architecture and requires users of the system to be identified and authenticated before the use of any system resources. Needl.ai adheres to the “least privileges principle” and only allows the absolute minimum levels of access required for a given role.

Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists.

All resources are managed in the asset inventory system and each asset is assigned an owner. Owners are responsible for approving access to the resource and for performing periodic reviews of access by role.

While configuring the physical infrastructure with AWS, Needl.ai has implemented three layers of architecture: (a) Public Network Layer (b) Application Layer and (c) Data Layer.

Each of these layers is comprised of technical configuration, which supports the Needl.ai application, data security and data privacy design of the Needl.ai application.

Public Network Layer

This is an outer, Internet-facing layer of AWS infrastructure. This Network Layer is built with the following resources.

  • AWS API gateway: permits AWS resources to interact with the internet
  • AWS Cognito: enables and manages the User identification and login authentication, thereby permitting access to the User only to the data authorized for each User
  • AWS CloudFront: this enables fast content delivery to the Users without any lag
  • AWS ECR: automatically replicate the Needl.ai application at multiple regions to reduce download time. ECR stores Needl.ai application within containers which gets deployed through AWS Fargate.

Application Layer

This layer hosts the Needl.ai application and security features required to provide Needl.ai service. This Network Layer is built with the following resources.

  • AWS Security Groups: this acts as a virtual firewall for each instance to control inbound and outbound traffic. This acts at an instance level. Hence each instance in VPC (virtual private cloud) is assigned to a different security group.
  • AWS Fargate: enables to allocate the right amount of computing infrastructure to the requirement to run Needl.ai services, thereby ensuring that required computing resources to provide Needl.ai service are always made available.
  • AWS Lambda: Needl.ai application is deployed in AWS through AWS Lambda.
  • AWS VCP enables network isolation. User data is stored in VPC (virtual private cloud), with the private subnet.

Data Layer

Data Layer hosts the Users' data. The user's data is stored, using server-side encryption (encryption at rest). The data layer is built with the following resources.

  • AWS RDS: is used to store the user account information.
  • AWS Elastic Search: is used for indexing the User’s data, enabling the quick search.
  • AWS S3: enables to store Users’ data/ information/ files/ folders.

Encryption

  • Data in transit

All external communications with Users are authenticated based on session login. Also, data in transit is encrypted and TLS1.3 protocols are used. Data in transit between the User and the Needl.ai hosted service is encrypted via SSL/TLS.

  • Data at rest

Data uploaded by users with the Needl.ai application is encrypted at rest using 256-bit Advanced Encryption Standard (AES), server-side encryption. User Data is stored in VPC (virtual private cloud), with a private subnet. Secure authentication and encryption algorithms are used for users connecting to Needl.ai VPC. User data is stored across multiple availability zones through the AWS cloud.

  • Key management

The encryption keys are maintained in the AWS Key Management Service.

Access management

Secure access management for users is ensured through AWS Cognito. Users are required to use two-factor authentication to connect to access Needl.ai application. There exists a formally documented Information Classification and Handling Policy detailing the classification of data based on its criticality and sensitivity.

Data Centre & managed service providers

Needl.ai application and User data are hosted with Amazon Web Services (AWS), a third-party subservice organization data centres located in different regions of the United States. While AWS is responsible for physical access to Needl.ai resources, the Firm is responsible for logical access to the resources.

AWS (Subservice organization data centre) SOC reports and/or vendor security questionnaires and contractual obligations are reviewed on annual basis for security controls. AWS (Subservice organization data centre) is responsible for the physical, environmental, and operational security controls at the boundaries of Needl.ai infrastructure.

Needl.ai is responsible for the logical access, network, application and data security of Needl.ai application and User’s data hosted AWS.

AWS is responsible for the physical and network security of the Needl.ai application provided through AWS. AWS protects the inbound and outbound connections through its firewall, which is configured in a default deny-all mode. Needl.ai restricts access to the environment to a limited number of IP addresses and employees.

Incident response

Needl.ai has incident response policies and procedures in place to guide personnel in reporting and responding to information technology incidents. Procedures exist to identify, report, and act upon system security breaches and other incidents.   The team responded to overlook any adverse event is equipped to.

  • promptly respond to any alerts to potential adverse instance.
  • understand and analyze the severity of the instance.
  • execute instance mitigation measures (if required).
  • Communicate with internal and external stakeholders, including intimation to affected User and to comply with applicable laws and regulations.
  • Keep records and audit trail for adverse instance.

The incident response policies and processes are audited as part of our SOC 2, ISO/IEC 27001 certification and applicable standards.

Business continuity

Needl.ai has established a business continuity process to address how to resume or continue providing services to its Users. This process guides Needl.ai to function as a firm and its employees on how to restore business-critical processes during any adverse event.  Business continuity and disaster recovery process are tested on annual basis.

Process and policies adopted by Needl.ai for Business continuity and disaster recovery are consistent with guidelines issued under ISO/IEC 27001: 2013 and SOC 2, Type 1 certification.

Internal Security Practices

Needl.ai has established an information security management framework describing the process, purpose, principles, and basic rules for how Needl.ai maintains data security and privacy by design. Needl.ai regularly reviews and update its policies, processes, provide security training, network security testing and conduct internal and external risk assessments. The security policies and processes are reviewed on annual basis. Employees participate in mandatory security training while the Firm and ongoing security awareness education.

Employees undergo a background check, sign a security policy acknowledgement and non-disclosure agreement, and receive security training. After completion of this process, employees are granted physical and logical access Firm's resources. All the employee undergo annual security training. Access to the Firm's resources are granted based on the role configuration and is subject to a multi-factor access management framework. Needl.ai architecture maintains the complete audit trail of access management and activities.

Vulnerability Management

Needl.ai has implemented a vulnerability management program. A vulnerability assessment is performed on an annual basis for the in-scope products for defining, identifying, classifying and prioritizing vulnerabilities. On annual basis, Penetration Testing (PT) is performed by a third party for the in-scope products. Results of the security testing are communicated to the respective products team for remediation and tracked to closure. Vulnerabilities identified during the security testing are categorized based on severity and are communicated to the respective Teams for initiating corrective action.

Change Management

Needl.ai has a defined process for Secure Development Policy. On an annual basis, the policy is reviewed and approved by the Head of Engineering. Needl.ai has defined procedures for change initiation, analyzing, testing, approving and implementing application and infrastructure-related changes.

For every new feature, patch or bug, a change ticket is raised within GitHub to track the status of the change from development, testing to deployment. All changes migrated to the production environment for each product are required to be tested based on the security testing methodologies and functional testing procedures. Product Leads/ Managers review the results and remediation from the security and QA testing and provides approval within the GitHub ticket. The change is deployed to the production environment of the product via the CircleCI tool and is managed by the Engineering Lead. Infrastructure and application changes are required to be recorded in GitHub and approved before performing the change to the production environment.

Privacy

We hold the privacy of your data as a first principle. We are a subscription-based business and we do not leak or sell your data to generate revenue. Needl.ai is the product, not you!

Needl.ai has a clearly defined Privacy Policy that defines how end-user data is collected, processed and stored. It also provides to the data subjects about its privacy practices to meet Needl.ai objectives related to privacy. The notice is updated and communicated to the Users promptly for changes to Needl.ai privacy practices, including changes in the use of personal information, to meet Needl.ai objectives related to privacy.

Needl.ai retains the service data as per the requirements defined in the Terms of Service deletes the data thereafter. Production logs are retained for a period of fourteen days (14) and AWS admin activity logs are maintained for three (3) months. Use can delete Needl.ai the account at any time. If the User does so, Needl.ai purges ALL the user’s data. Needl.ai retains nothing

Access restrictions are in place to ensure only respective end-users have access to their data.

Needl.ai has formal procedures in place for customer service employees to follow when confirming the identity of the customer and obtaining access to customer data for processing the customer request or debugging.