Pricing
Features
Financial Fraud Protection
Identity Theft Protection
Parental Controls
Antivirus
VPN
Password Manager
Anti-Track & Safe Browsing
Resources
Customer Service
FAQ
Help
Digital Security 101
Newsroom
Login
Call Us
844.918.0658
Help
Pricing
Features
Resources
Aura LogoAura Logo
Sign in
Help
Start Free Trial
Start Free Trial
Start Free Trial
Financial Fraud Protection
VPN
Identity Theft Protection
Password Manager
Parental Controls
Anti-Track & Safe Browsing
Antivirus
Digital Security 101

Stay up to date with the latest news and learn how to keep you and your family safe online.

Read more
Customer Service
Digital Security 101
FAQ
Newsroom
Help
The Digital Talk

Your guide to navigating online safety with your kids is here.

Read more

Security Standards

Last Updated: 

Jan, 2023

Website Terms of Use

The below is a general description of Aura’s security standards and practices as of the date hereof. Aura is continuously reviewing its practices and the following may change without notice as Aura deems reasonably necessary to improve its security standards and practices.

Secure Architecture

  • All personal data of customers of Aura’s products or services (“Customer Data”) is accessible only by authorized Aura team members and only on a need-to-know basis. 
  • Customer Data never leaves the production environment except as needed to provide Aura products and services to the customer or otherwise in accordance with Aura’s privacy policy. 
  • Web access, where end-users access their Customer Data, is entirely segregated from the rest of Aura’s technical architecture. 
  • No administrative access to Aura’s architecture is available directly from the public Internet.

Information Security Policy and Program Management

Aura Security Program is overseen by Aura’s Executive Management. The execution of the Security Program is delegated to the Chief Information Security Officer (CISO). Management delegates the maintenance of issue-specific policies to the CISO. Specific policies are reviewed annually and include the following :

  • Acceptable Use Policy
  • Account Management Policy
  • Application Development Policy
  • Approved Software Policy
  • Change Management Policy
  • Cloud Computing Policy
  • Configuration Management Policy
  • Data Classification & Handling Policy
  • Data Protection Policy
  • Electronic Mail Policy
  • Employee Onboarding & Offboarding Policy
  • Firewall Management Policy
  • Hardening Standards Policy
  • Incident Response Plan
  • Information Backup Policy
  • Information Security Policy
  • IT Asset Management Policy
  • Logging & Monitoring Policy
  • Network Controls Policy
  • Password Management Policy
  • Patch Management Policy
  • PCI Scoping Document
  • Personal Device Use Policy
  • Physical Security Policy
  • Policy on Information Security Policies
  • Remote Access Policy
  • Risk Management Policy
  • Security Awareness Policy
  • Third Party (Vendor) Management Policy
  • Vulnerability Management Policy

Vulnerability Management

The following steps are taken to identify vulnerabilities in software and services hosted by Aura as determined necessary by Aura.

  • Regularly occurring internal vulnerability scans
  • Quarterly external vulnerability scans
  • Ongoing static code scans of all Aura production source code
  • Third-party library code scans of all Aura production source code
  • At least annual penetration tests of Aura products and services
  • All critical and high findings are remediated as soon as reasonably possible. Systems are retested until findings are resolved.

Asset Management

  • Aura identifies all assets (hardware and software) and maintains an active list.
  • Asset lifecycles are controlled and managed. The IT department is responsible for managing the lifecycle and secure destruction of decommissioned physical assets.

Data Classification

Protecting data starts with an understanding of the types and locations of data within an organization. Aura classifies all data into three categories:

  • Public data: Any data elements that have been approved by Legal for public consumption. These include public web pages, press releases, job postings, public financial reporting etc. This information may be freely shared.
  • Internal-Use-Only: Any data that does not fall into the Public or Sensitive category. This information does not leave the company’s control under any circumstances. Access to this data is limited by business need.
  • Sensitive data: This includes all Customer Data, and any personal data received by Aura from its business partners. This data is stored in secured locations and encrypted in accordance with industry-leading standards.  Access is limited by roles and business need and monitored daily for appropriate use.

Data Handling

  • Electronic Sensitive Data is stored in the Production Environment only, and in authorized, secure storage locations
  • Sensitive Data does not move out of the Production environment unless required to provide Aura products or services, or as otherwise set forth in Aura’s privacy policy. 
  • Any movement of Customer Data outside the production environment is in encrypted format.
  • Destruction of electronic data is carried out using approved methods for secure destruction

Encryption

All sensitive data is transmitted encrypted when traveling beyond Aura networks.

  • TLS ver. 1.3 for Web Sites and data exchange with Vendors and Partners
  • sftp for File Transfers where specifically requested and authenticated via keys

Storage Encryption

  • Structured Storage: Database encryption using AES-256
  • Unstructured Storage: Filesystem encryption using the AES-256 

Device Encryption

  • All laptops are encrypted using Bitlocker or FileVault

Key Management

  • Aura’s key management uses Aura managed keys (where possible)

Internal Aura Account Management

  • The assignment of account privileges throughout the organization are guided by the “Least Privilege Principle”, “Need to know” and the use of Role Based Access. Least privilege principle holds that each user will be assigned the minimum account privileges necessary to do their job and no more.
  • All roles are preapproved by the relevant Aura data owner
  • Ad hoc data access request is individually approved by the data owner based on a business need
  • All access to Customer Data is reviewed by the Data Owner and Information Security
  • Roles are established at the time of hire by Human Relations and are auto-provisioned by the HRIS system and identity provider (IdP) system.
  • On termination, all access is removed by end of day, often within 1 hour.
  • Accounts are always traceable back to an individual. 
  • Shared accounts are not permitted and, where not avoidable, the passwords are set to unmemorable values and stored in an auditable password management database.
  • Password requirements are: minimum of 12 characters, contains both numbers and letters, may not be the same as the previous 4 passwords. These rules are enforced by an identity provider solution.
  • In accordance with modern industry standards, we do not automatically expire passwords based on time. This is in-line with NIST recommendations, SP 800-63B.

Security Awareness

  • All employees undergo a Information Security and Privacy orientation at time of hire and annually 
  • All employees and contractors are provided an internal website that encapsulates the security policies for the organization.

Malware Detection

  • All endpoints are protected by industry standard malware prevention and detection software. The software signatures are updated at least daily. The configuration prevents the user from being able to disable the software.
  • In addition, malware detection is being done by the outbound internet gateway and email gateway.

Physical Security

  • Aura makes use of a very small number of collaboration spaces, where employees can meet and interact with others.  There are no on premise data centers and no data is stored in these collaborative areas.
  • There are no trusted networks in these collaboration areas.  All network access to company data must be authenticated and authorized through a SASE gateway.
  • Secure areas are protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Visitors are permitted with pre-registration.
  • Our cloud systems are housed in AWS data centers that are protected with appropriate controls and audited regularly.  We review those audit results as we conduct our internal audits.

Application Security

  • Aura uses an Agile development methodology and deployments are handled in a continuous delivery model.
  • Aura maintains a Software Development Life Cycle (SDLC) with consideration and training on security principles in software development. 
  • All production products and services are tested against OWASP top 10 vulnerabilities
  • Development and testing is carried out in a separate environment using a test data set. No production data is ever used in development or testing.
  • Static Code analysis is carried out as part of the development pipeline.
  • Dynamic Code analysis is carried out on a weekly basis.

Change Management

  • The company uses an agile methodology for engineering and a continuous delivery model of changes to production.
  • All changes follow a defined change management process.
  • All changes are approved before they are released, with clear separation of duties.

Network Controls

  • The Aura network is designed with a defense in depth philosophy.  Products use a serverless architecture and various components do not have direct connectivity at lower levels of network stack.
  • Network segments are separated by network firewalls or application firewalls.
  • The edges are protected by web application firewalls.  There are no options for direct connectivity at a network layer to our edge boundaries.
  • Data Loss Prevention systems are employed on endpoints and network layers
  • Changes to firewall rules (often in the form of security groups or web application firewalls) are logged and reviewed.
  • All endpoint connections to the Internet go through a web gateway which provides blocklists, data loss prevention, and security hygiene services.
  • Wireless access is provided in collaboration areas, but is not considered a trusted network and has no connectivity to the production environment.

Remote Access

  • Most of the companies applications are delivered via SaaS model and team members access these without going through a corporate datacenter or central network physical hub. 
  • All access to the internal environment goes through a SASE gateway, which requires Multi Factor authentication and is logged and monitored.

Security Monitoring

  • Information Security is responsible for all security event monitoring
  • All logs are centralized and managed exclusively by Information Security with appropriate monitoring and response happening on a continuous basis

Security Incident Handling

  • Security incidents are managed by the Information Security and Engineering teams as appropriate.
  • Incidents are classified according to Incident Response Plan
  • Incident Response Plan is defined and reviewed annually.  The plan includes considerations for notification, response, and the use of third party resources.  
  • Tabletop exercises are conducted at least annually.

Compliance

Aura Suite certifies to the following security standards:

  • PCI DSS
  • SSAE 18 SOC2 Type II
Help
About
Digital Security 101
Newsroom
Contact
Careers
support@aura.com833.552.2123
Partner with Us
Affiliate Program
Influencer Program

© Aura 2022.  All rights reserved.

LegalPrivacy PolicyDo Not Sell My Information
linkedin linktwitter link

* Identity Theft Insurance underwritten by insurance company subsidiaries or affiliates of American International Group‚ Inc. The description herein is a summary and intended for informational purposes only and does not include all terms‚ conditions and exclusions of the policies described. Please refer to the actual policies for terms‚ conditions‚ and exclusions of coverage. Coverage may not be available in all jurisdictions.

** Free trial offer can only be redeemed once per customer. Full access to plan features depends on identity verification and credit eligibility.

¹ The score you receive with Aura is provided for educational purposes to help you understand your credit. It is calculated using the information contained in your Equifax credit file. Lenders use many different credit scoring systems, and the score you receive with Aura is not the same score used by lenders to evaluate your credit.

² 60-day money back guarantee is only available for our annual plans purchased through our websites (excludes Amazon) or via our Customer Support team. You may cancel your membership online and request a refund within 60 days of your initial purchase date of an eligible Aura membership purchase by calling us at 1-855-712-0021.

If you signed up for Aura through a free trial, then your membership purchase date will be the date you signed up for your free trial, and you will have 60 days from the date you signed up for your free trial to cancel and request a refund. If you switched to a new annual plan within 60 days of your initial Aura annual subscription, you may still qualify for the Money Back Guarantee (based upon your initial annual plan purchase date).

³ ath Power Consulting, 2018

⁴ Child members on the family plan will only have access to online account monitoring and social security number monitoring features. All adult members get all the listed benefits.

⁵ Ranked #1 by Security.Org and IdentityProtectionReview.com. They may be compensated as a marketing affiliate of Aura, but their ratings are all their own.

⁶ cdc.gov.../getmoving

⁷ commonsensemedia.org.../new-normal

⁸ kapersky.com.../parents-worried

No one can prevent all identity theft or monitor all transactions effectively. Further, any testimonials on this website reflect experiences that are personal to those particular users, and may not necessarily be representative of all users of our products and/or services. We do not claim, and you should not assume, that all users will have the same experiences. Your individual results may vary.