top of page
logoWhite.png

Security and privacy are our top priority

Group 2170.png

Soc2 type2 compliant

At theGist, we take our customers’ data very seriously. Since day one, security and privacy have been “job zero” for us and part of every decision that we make.

​

All of our infrastructure is hosted using AWS managed services. This means that all of our applications and platforms follow the best industry standards available in terms of security, reliability, privacy and encryption that AWS can provide. AWS complies with dozens of Security Frameworks and Standards and by only selecting managed services, we ensure that we leave the heavy lifting of managing and securing the underlying infrastructure to AWS.

 

We integrate with external services such as Slack, but we do so by following their strict API-level authentication requirements and adhering to the permissions that customers grant to theGist, giving you full control over our access. Below are some of the security features of our platform. If you wish to discuss further or have any questions or concerns, please contact us at security@thegist.ai. For our Privacy Policy, please see https://thegist.ai/privacy

Infrastructure

We only use AWS Managed services and we physically and logically isolate them on a private VPC network. Both network traffic and access control is strictly controlled and we follow a “Zero Trust” model. An example of this is our usage of AWS’s IAM, where having access to the private network is not enough to access a given system, and also being able to identify the user and grant access to the resources based on the user role and permissions is required. As part of our continuous compliance and DevSecOps practices, we monitor AWS security event streams, like CloudTrail and GuardDuty. We are notified when our base images have any vulnerabilities and take immediate action.

Company

We perform security background checks for all prospective employees prior to making an offer of employment. Our onboarding process also focuses on security and privacy. We require all employees to complete security training. We deploy a company-managed security solution agent to ensure workstation hard drives are encrypted, a password manager is being used and an antivirus solution is installed.

Backups and Disaster Recovery

All of our Databases are hosted on AWS private networks and use AWS Managed services exclusively. This includes AWS RDS and ElastiCache. Access to databases is provided only to applications or select engineers via a AWS IAM and uses AWS VPN in order to provide IAM-based authorization and encryption when connecting to an RDS Instance. Daily backups are enabled for all databases, as well as continuous point-in-time backups that allow us to restore data from any point in the past. We follow AWS best practices in terms of running our platform with High Availability and Fault Tolerance in mind and we are continuously iterating on this front. We take good pride in our technology stack and ensure it’s always improving. As Gene Kim put it in the Phoenix Project, “If you are not improving, entropy guarantees that you are actually getting worse, which ensures that there is no path to zero errors, zero work-related accidents, and zero loss.”

Encryption

We use encryption-at-rest on all of our databases and more specifically, the 256-bit Advanced Encryption Standard (AES-256), with symmetric keys managed by AWS. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly. In terms of encryption-in-transit, we enforce HTTPS communication on all of our services and use SSL SHA-256 ECDSA Certificates running on the latest TLS 1.3.

Compliance

theGist is SOC-2 type 2 compliant, certified by PWC. We are excited about this, as not many companies of our size and stage invest the time and efforts needed to reach SOC-2. This is a testament to the continuous efforts we put towards Security and Privacy for our customers. We also engage with an external security firm for Penetration Testing exercises on a regular cadence and can share these reports with customers and prospects upon NDA signature. For GDPR, and other privacy related matters, check out our Privacy Policy.

What's next

We believe that it’s not possible to be 100% secure in the current landscape of evolving threats. That’s why we always incorporate a percentage of security-related improvements to all of our development cycles and try to bring security in as early in the planning process as possible. If you have any questions or want to discuss further please reach out to security@thegist.ai. We hope you found this article useful!

bottom of page