Security

🔐The privacy and security of your data is our top priority.

With digital adoption and transformation taking place around us and the pace of data consumption and requirement for the availability of data on the go, it is important that you have access to your data in an organized manner. Needl.ai provides its users (a) secure cloud data storage (b) personal search engine (c) security and privacy by design architecture (d) security and privacy by design architecture. While data on the go is a primary requirement for many users, data security and privacy by design is the need of the hour for many and especially working professionals.

Needl.ai is a solution, and its architecture is designed with the primary goal of making organized data available to the Users while ensuring data security and privacy by design architecture.

At the core of Needl.ai solution is our security and privacy by design architecture, comprehensive security program, multilayered approach to security.

This whitepaper describes in a simple manner Needl.ai product security features, operational security measures, security and privacy by design architecture, independent certifications, and regulatory compliance measures to help Needl.ai to provide you with a reliable data solution.

ISO/IEC 27001: 2013 certification

Needl.ai is accredited with ISO/IEC 27001: 2013 certification. In terms of this certification, the Information Security Management System (ISMS) of Needl.ai covers the protection of information security, in its business operation that involves delivering services to its clients in the form of collating, analysis and present all data from public and private sources into a personal vault specified by the Client on the cloud designed, developed, and administered by Needl.ai

SOC 2, Type 1 certification

This certification provides a reasonable assurance that Needl.ai service commitments and system requirements are achieved based on the trust service criteria relevant to Security, Availability, Confidentiality, Privacy and Processing Integrity, outlined in TSP section 100, 2017 Trust Service Criteria for Security, Availability, Confidentiality, Privacy and Processing Integrity (AICPA, Trust Service Criteria).

Physical access control and logical access control

Needl.ai infrastructure can broadly be identified as physical access and logical access. While physical access to Needl.ai resources is managed through AWS (sub-service organization), logical access is managed by Needl.ai

Needl.ai infrastructure is designed, implemented and operated to achieve its business objectives. Needl.ai uses AWS as IaaS, PaaS, DaaS. Needl.ai application, as well as Your data, is hosted securely behind the robust infrastructure of AWS.

Needl.ai uses role-based security architecture and requires users of the system to be identified and authenticated before the use of any system resources. Needl.ai adheres to the “least privileges principle” and only allows the absolute minimum levels of access required for a given role.

Resources are protected through the use of native system security and add-on software products that identify and authenticate users and validate access requests against the users’ authorized roles in access control lists.

All resources are managed in the asset inventory system and each asset is assigned an owner. Owners are responsible for approving access to the resource and for performing periodic reviews of access by role.

While configuring the physical infrastructure with AWS, Needl.ai has implemented three layers of architecture: (a) Public Network Layer (b) Application Layer and (c) Data Layer.

Each of these layers is comprised of technical configuration, which supports the Needl.ai application, data security and data privacy design of the Needl.ai application.

This is an outer, Internet-facing layer of AWS infrastructure. This Network Layer is built with the following resources.

This layer hosts the Needl.ai application and security features required to provide Needl.ai service. This Network Layer is built with the following resources.

Data Layer hosts the Users' data. The user's data is stored, using server-side encryption (encryption at rest). The data layer is built with the following resources.

All external communications with Users are authenticated based on session login. Also, data in transit is encrypted and TLS1.3 protocols are used. Data in transit between the User and the Needl.ai hosted service is encrypted via SSL/TLS.

Data uploaded by users with the Needl.ai application is encrypted at rest using 256-bit Advanced Encryption Standard (AES), server-side encryption. User Data is stored in VPC (virtual private cloud), with a private subnet. Secure authentication and encryption algorithms are used for users connecting to Needl.ai VPC. User data is stored across multiple availability zones through the AWS cloud.

The encryption keys are maintained in the AWS Key Management Service.

Secure access management for users is ensured through AWS Cognito. Users are required to use two-factor authentication to connect to access Needl.ai application. There exists a formally documented Information Classification and Handling Policy detailing the classification of data based on its criticality and sensitivity.

Needl.ai application and User data are hosted with Amazon Web Services (AWS), a third-party subservice organization data centres located in different regions of the United States. While AWS is responsible for physical access to Needl.ai resources, the Firm is responsible for logical access to the resources.

AWS (Subservice organization data centre) SOC reports and/or vendor security questionnaires and contractual obligations are reviewed on annual basis for security controls. AWS (Subservice organization data centre) is responsible for the physical, environmental, and operational security controls at the boundaries of Needl.ai infrastructure.

Needl.ai is responsible for the logical access, network, application and data security of Needl.ai application and User’s data hosted AWS.

AWS is responsible for the physical and network security of the Needl.ai application provided through AWS. AWS protects the inbound and outbound connections through its firewall, which is configured in a default deny-all mode. Needl.ai restricts access to the environment to a limited number of IP addresses and employees.

Needl.ai has incident response policies and procedures in place to guide personnel in reporting and responding to information technology incidents. Procedures exist to identify, report, and act upon system security breaches and other incidents.   The team responded to overlook any adverse event is equipped to.

The incident response policies and processes are audited as part of our SOC 2, ISO/IEC 27001 certification and applicable standards.

Needl.ai has established a business continuity process to address how to resume or continue providing services to its Users. This process guides Needl.ai to function as a firm and its employees on how to restore business-critical processes during any adverse event.  Business continuity and disaster recovery process are tested on annual basis.

Process and policies adopted by Needl.ai for Business continuity and disaster recovery are consistent with guidelines issued under ISO/IEC 27001: 2013 and SOC 2, Type 1 certification.

Needl.ai has established an information security management framework describing the process, purpose, principles, and basic rules for how Needl.ai maintains data security and privacy by design. Needl.ai regularly reviews and update its policies, processes, provide security training, network security testing and conduct internal and external risk assessments. The security policies and processes are reviewed on annual basis. Employees participate in mandatory security training while the Firm and ongoing security awareness education.

Employees undergo a background check, sign a security policy acknowledgement and non-disclosure agreement, and receive security training. After completion of this process, employees are granted physical and logical access Firm's resources. All the employee undergo annual security training. Access to the Firm's resources are granted based on the role configuration and is subject to a multi-factor access management framework. Needl.ai architecture maintains the complete audit trail of access management and activities.

Needl.ai has implemented a vulnerability management program. A vulnerability assessment is performed on an annual basis for the in-scope products for defining, identifying, classifying and prioritizing vulnerabilities. On annual basis, Penetration Testing (PT) is performed by a third party for the in-scope products. Results of the security testing are communicated to the respective products team for remediation and tracked to closure. Vulnerabilities identified during the security testing are categorized based on severity and are communicated to the respective Teams for initiating corrective action.

Needl.ai has a defined process for Secure Development Policy. On an annual basis, the policy is reviewed and approved by the Head of Engineering. Needl.ai has defined procedures for change initiation, analyzing, testing, approving and implementing application and infrastructure-related changes.

For every new feature, patch or bug, a change ticket is raised within GitHub to track the status of the change from development, testing to deployment. All changes migrated to the production environment for each product are required to be tested based on the security testing methodologies and functional testing procedures. Product Leads/ Managers review the results and remediation from the security and QA testing and provides approval within the GitHub ticket. The change is deployed to the production environment of the product via the CircleCI tool and is managed by the Engineering Lead. Infrastructure and application changes are required to be recorded in GitHub and approved before performing the change to the production environment.

We hold the privacy of your data as a first principle. We are a subscription-based business and we do not leak or sell your data to generate revenue. Needl.ai is the product, not you!

Needl.ai has a clearly defined Privacy Policy that defines how end-user data is collected, processed and stored. It also provides to the data subjects about its privacy practices to meet Needl.ai objectives related to privacy. The notice is updated and communicated to the Users promptly for changes to Needl.ai privacy practices, including changes in the use of personal information, to meet Needl.ai objectives related to privacy.

Needl.ai retains the service data as per the requirements defined in the Terms of Service deletes the data thereafter. Production logs are retained for a period of fourteen days (14) and AWS admin activity logs are maintained for three (3) months. Use can delete Needl.ai the account at any time. If the User does so, Needl.ai purges ALL the user’s data. Needl.ai retains nothing

Access restrictions are in place to ensure only respective end-users have access to their data.

Needl.ai has formal procedures in place for customer service employees to follow when confirming the identity of the customer and obtaining access to customer data for processing the customer request or debugging.