Security Standards

The below is a general description of Aura’s security standards and practices as of the date hereof. Aura is continuously reviewing its practices and the following may change without notice as Aura deems reasonably necessary to improve its security standards and practices.

Secure Architecture

• All personal data of customers of Aura’s products or services (“Customer Data”) is restricted to authorized Aura team members based on the principle of least privilege and a need-to-know basis. 
• Customer Data is stored within the production environment and is processed as needed to provide Aura products and services to the customer or otherwise in accordance with Aura’s privacy policy. 
• Web access, where end-users access their Customer Data, is segregated from the rest of Aura’s technical architecture. 
• Direct administrative access to Aura’s architecture from the public Internet is prohibited.

Information Security Policy and Program Management

Aura Security Program is overseen by Aura’s Executive Management. The execution of the Security Program is delegated to the Chief Information Security Officer (CISO). Management delegates the maintenance of issue-specific policies to the CISO. Policies are reviewed annually and govern essential functions such as access control, data handling, incident response, vulnerability management, and secure development.

Vulnerability Management

We employ a multi-layered vulnerability management program that includes periodic internal and external vulnerability scans, ongoing static and third-party code analysis, and regular penetration tests of our products and services.

Findings from security tests are prioritized based on risk. We maintain a formal process to track and remediate identified vulnerabilities, with a focus on addressing critical and high-risk findings in alignment with our defined remediation SLAs. Remediated systems are subject to re-testing to validate the effectiveness of applied fixes.

Asset Management

• Aura maintains a process for identifying and inventorying company assets (hardware and software).
• Asset lifecycles are controlled and managed. The IT department is responsible for managing the lifecycle and secure destruction of decommissioned physical assets.

Data Classification

Protecting data starts with an understanding of the types and locations of data within an organization. Aura classifies all data into three categories:

• Public data: Any data elements that have been approved by Legal for public consumption. These include public web pages, press releases, job postings, public financial reporting etc. This information may be shared as needed.
• Internal-Use-Only: Any data that does not fall into the Public or Sensitive category. Access to this data is limited by business need.
• Sensitive data: This includes Customer Data. This data is stored in secured locations and encrypted in accordance with strong, industry-recognized standards. Access is limited by roles and business need.

Data Handling

• Sensitive Data is stored in the Production Environment, and in authorized, secure storage locations.
• Sensitive Data does not move out of the Production environment unless required to provide Aura products or services, or as otherwise set forth in Aura’s privacy policy. 
• Destruction of electronic data is carried out using approved methods for secure destruction

Encryption

We require Sensitive Data to be transmitted in an encrypted format when traveling beyond Aura networks. Aura employs strong encryption protocols to protect data. Data in transit is protected using TLS ver. 1.2 or higher for Web Sites and data exchange with Vendors and Partners. Data at rest, including in databases and file systems, is encrypted using robust, industry-recognized algorithms. We also enforce encryption on endpoint devices and utilize secure vaults for key management.

Internal Aura Account Management

• The assignment of account privileges throughout the organization are guided by the “Least Privilege Principle”, “Need to know” and the use of Role Based Access. Least privilege principle holds that each user will be assigned the minimum account privileges necessary to perform their job functions.
• Requests for new, modified, or ad hoc access to Customer Data are subject to review and approval by the designated system or data owners based on a demonstrated business need. 
• Roles are established at the time of hire by People Operations and are auto-provisioned by the HRIS system and identity provider (IdP) system.
• Account privileges for separated employees or contractors are revoked in a timely manner upon separation.
• To maintain individual accountability, user accounts are required to be uniquely identifiable and traceable to a specific person.
• The use of shared, or generic, accounts is strongly discouraged. In the rare situation in which a shared account is needed, each use of the account must be tied to the person using it via audit record.
• We enforce strong password complexity and history requirements, enforced by our identity provider, in line with modern industry guidance. 

Security Awareness

• Information Security and Privacy training is mandatory for employees at time of hire. Additionally, regular re-training occurs.
• All employees and contractors are provided an internal website that encapsulates the security policies for the organization.

Malware Detection

• Company workstations are protected by industry-standard malware prevention and detection software. Configurations are set to prevent users from disabling the software.
• In addition, malware detection is being done by web and email gateways.

Physical Security

• Aura's production systems and customer data are hosted by a Cloud Service Provider (CSP). Aura does not operate on-premise data centers. The CSP is responsible for the physical and environmental security of its data centers and is audited regularly.
• Aura makes use of a single office space, where employees can meet and interact with others. This space is designated for employee collaboration and is not authorized for the storage or processing of production data.
• There are no trusted networks in the collaboration space.  All network access to company data must be authenticated and authorized through a SASE gateway.
• Visitors are permitted at the collaboration space with registration. Secure areas are protected by appropriate entry controls to restrict access to authorized personnel.

Application Security

• Aura uses an Agile development methodology and deployments are handled in a continuous delivery model.
• Aura maintains a Software Development Life Cycle (SDLC) with consideration and training for common vulnerability patterns, such as those identified by industry groups like OWASP.
• Development and testing is carried out in a separate environment using a test data set. The use of production data in development or testing is prohibited.
• Static Code analysis is carried out as part of the development pipeline.

Change Management

• The company uses an agile methodology for engineering and a continuous delivery model of changes to production.
• Changes follow a defined change management process, which includes requirements for approval and separation of duties before release. 

Network Controls

• The Aura network is designed with a defense in depth philosophy. Our product is built on a modern, secure, and scalable cloud foundation that leverages isolated components to ensure process integrity and secure data flow. Network segments are separated by network firewalls or application firewalls.
• The edges are protected by web application firewalls. Direct network-layer connectivity to our edge boundaries is restricted.
• Data Loss Prevention systems are employed on endpoints and network layers
• Changes to firewall rules (often in the form of security groups or web application firewalls) are logged and reviewed.
• All endpoint connections to the Internet go through a web gateway which provides blocklists, data loss prevention, and security hygiene services.
• Wireless access is provided in the collaboration space, but is not considered a trusted network and is segregated from the production environment.

Remote Access

• Remote access to internal company resources requires authentication through a secure gateway, which enforces Multi-Factor Authentication and logging.

Security Monitoring

• Security-relevant logs are centralized and managed by the Information Security team, with appropriate monitoring and response procedures.

Security Incident Handling

• Security incidents are managed by the Information Security and Engineering teams as appropriate.
• Incidents are classified according to the Incident Response Plan
• Incident Response Plan is defined and reviewed annually. The plan includes considerations for notification, response, and the use of third party resources.  
• Tabletop exercises are conducted at least annually.

Compliance

Aura Suite certifies to the following security standards:

• PCI DSS
• SSAE 18 SOC2 Type II
• ISO27001