Smooch services are hosted on Amazon Web Services (AWS). As such, Smooch inherits the control environment which Amazon maintains and demonstrates via SSAE16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged. You can read more about AWS security on their security page.
All systems are constantly monitored by both Smooch and our service providers.
Smooch is currently hosted in the United States.
Our DevOps and Security Team is on call 24/7 to respond to security alerts and events.
Our network is protected by secure HTTPS transport over public networks.
Access to the Smooch Production System is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our DevOps Team. Employees accessing the Smooch Production System are required to use multiple factors of authentication.
In case of a system alert, events are escalated to our 24/7 DevOps and InfoSec teams providing Operations, Network Engineering, and Security coverage.
Communications between you and Smooch servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS). “A” score against ssllabs.com security tests.
Smooch supports encryption of customer data at rest.
Smooch maintains a publicly available system-status webpage that includes system availability details, scheduled maintenance, service incident history, and relevant security events, hosted separately from the Smooch System.
The Smooch system architecture makes use of multiple availability zones to minimize single points of failure. Our strict backup regime ensures customer data is actively replicated across systems and between AWS S3 availability zones.
We review top security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), among others. Tools used include Snyk.io, nsp and OWASP Top Ten.
Our full-stack developers write unit-tests and QA each other’s development code before every release identifying, testing and triaging application issues and security vulnerabilities.
Testing and staging environments are separated logically from the production environment. No actual customer data is used in the development or test environments.
Only the account administrator can log in to the console to administer the configurations and integrations.
Smooch stores user passwords through a secure SOC 2 compliant third-party and does not store these credentials in our database.
Smooch API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using either basic authentication with your username and password, or with a JWT signed request.
Smooch performs background checks on all new employees in accordance with local laws. These checks are also required to be completed for contractors.
All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.