Security Policy

Veemo Support’s omnichannel customer service and help desk platform empowers businesses to deliver great customer

Security is one of the top priorities for Veemo because it’s fundamental to your experience with the product. Managing our customer data is more than just a responsibility to be met, it’s something our company is truly passionate about. We do more than just follow policies and check boxes, we instill awareness and combine enterprise-grade security features with comprehensive audits of our applications, systems, and networks to ensure customer data is protected. All Veemo employees are trained on security practices during company onboarding and on an annual basis.

Physical Security

Veemo hosts all its software in DigitalOcean’s facilities in Singapore. DigitalOcean provides an extensive list of compliance and regulatory assurances, including SOC II, and ISO 27001. See DigitalOcean’s compliance and security documents for more detailed information. Veemo employees do not have physical access to DigitalOcean data centers, servers, network equipment, or storage.

Network Security

All of Veemo servers are located within Veemo’s own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers. Firewalls screen data coming in and out of computer networks, blocking unauthorized access and stopping traffic from unsafe internet sources. We also utilize intrusion detection systems in our production network and advanced email filtering in our corporate network to identify potential security threats.

Application Security

Two Factor Authentication: To verify user’s identity, 2FA is enforced over phone and email with the help of their unique passwords and also through randomly-generated and constantly refreshing codes

JWT Token: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It has an expiration period of around 15 minutes, so that any leaked JWTs will cease to be valid fairly quickly

IP Blocking: Commonly used to protect against brute force attacks and to prevent access by a disruptive address, certain IP addresses are blocked.

Web application architecture and implementation follow OWASP guidelines. We regularly scan source code and systems for vulnerabilities and perform necessary patching and updates based on those results.

Data Security

All connections to Veemo are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. All customer data is encrypted at rest and in transit with AES 256 Encryption. At end-of-life, DigitalOcean destroys disks per NIST 800-88 standards. We use industry-standard PostgreSQL, ElasticSearch and MongoDB data storage systems hosted at DigitalOcean and/or by the respective vendors.

Backup and Disaster Recovery

In order to curb system failures and keep both planned and unplanned downtimes at bay, High Availability (HA) architecture is employed. Our system design allows for the distribution of the workloads across multiple systems, which helps in optimizing resource use, maximizing output, minimizing response times and avoiding overburden of any system in the process through load balancing. Veemo keeps continuous encrypted backups of data in multiple regions on DigitalOcean Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Training and Awareness

Veemo requires all employees and contractors to sign a confidentiality agreement prior to commencement. All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training. All engineers review security policies as part of onboarding and are encouraged to review and contribute to policies via internal documentation.

Incident response plan

In case of a security incident it’s best to have a clearly defined plan and responsibilities. Below you will find more details regarding the response plan that Veemo has in place in the unlikely case of a security breach.

Responsibilities

Level 1: Depending on how the incident is reported/discovered we generally have the first level of technical support that is likely to triage/escalate the issue. Normally that role is reserved for whoever is on the level 1 tech support shift at the time.
Level 2: Is a senior engineer or CTO that classifies the impact of the security incident.
Level 3: Is a senior engineer or CTO that classifies the impact of the security incident.

Triage Process

Before escalating the incident to the next level, the person that first finds out about it needs to verify the incident and its initial impact.

Escalation Process

Once verified the escalation process should be immediate to level 2 and then level 3 verbally, by phone, email, whatever medium is available.

Classification Process

Once escalated the rank/severity of the incident must be determined. Does it affect all customers? A single company? An individual? What type of data was affected if any? Was it encrypted? If so, how?

Investigation Process

Analyze all elements of the incident in order to identify all the causes or where a failure occurred including the software, hardware, people, and internal processes.

Lessons Learned

Based on the result of the investigation, determine what could be done to prevent this attack and what defensive mechanisms failed and take immediate action to remediate the cause and improve the future process. This information should also be public and posted on our public blog.

Vulnerability Disclosure Process

Veemo considers privacy and security to be core functions of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security or privacy issue that you believe we should know about, please reach out to us at security@Veemo.ai