Last Updated: June 8th 2021
Proof’s entire infrastructure is hosted with Amazon Web Services (“AWS”), you can read more about AWS security as a whole here:
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
All data is stored in the following physical locations:
Ohio, USA (primary)
Oregon, USA
California, USA
Virginia, USA
All data is encrypted at rest with industry standard AES-256 encryption
All of our servers, databases, and network are behind a firewall and are not externally accessible other than ports 80 & 443 on our web servers. All of our data, including databases and object storage, is completely inaccessible outside of our internal network.
All internal <-> external is encrypted in transit with HTTP over TLS (HTTPS)
Access to AWS is limited to key personnel
All AWS accounts have completely random passwords at least 16 characters long
All AWS accounts are protected by multi-factor authentication (TOTP, we do not allow MFA via SMS due to ISP social engineering)
Suspicious login attempts are immediately alerted
Access to all AWS infrastructure services is logged and routinely audited
Our entire infrastructure is monitored for performance & availability
SQL data is backed up daily, and binary logging is enabled for point-in-time recovery
Object storage data is stored in multiple regions throughout the US and backed up daily
All key components of our infrastructure is load-balanced and has failover redundancy in place for service outages
Under no circumstance is any of our customer’s data shared with third parties
We enforce strong password policies for all Proof end user accounts (minimum 8 characters including 1 uppercase letter, 1 number, and 1 symbol)
We offer both multi-factor authentication (MFA) and single sign-on (SSO) for enterprise-level customers
Proof’s infrastructure is monitored for uptime and performance 24/7/365. Our historical uptime over the years is over 99.9%. You can always check on the status of our infrastructure at https://status.proofserve.com
In the event of a security breach, all affected customers will be notified within 1 day (24 hours).