Information Security Statement
2023
AudioEye does not store personally identifiable information (PII), protected health information (ePHI), or payment card industry (PCI) data. AudioEye is a publicly traded company conducting business with multiple government organizations, as well as clients in the financial, healthcare, and human resources industries. In an effort to ensure the highest degree of systems integrity, and to support the security needs of these industries, AudioEye systems are built to incorporate the standards and safeguards required for HIPAA, PCI, and SOX compliance. While the specifics of these documented processes exist in various forms, generally we access security from the perspective of defense in depth: Physical Controls, Technical Controls, and Administrative Controls.
Physical Controls
AudioEye’s physical security policies focus on controls around both facilities and workstations.
Facilities:
- All publicly accessible systems are contained in Amazon’s Web Services cloud infrastructure, a SOC-3 facility with current SOC-2 audit on file.
- Systems are created leveraging virtual private cloud technology (AWS VPC), which logically isolates content in protected and secured subnets.
- Access to physical systems is not allowed by any AudioEye employee.
- Physical access is limited only to Amazon employees who do not have access to AudioEye systems.
- AudioEye employees are only granted systems access through a limited software virtualization layer.
- AudioEye systems exist in multiple availability zones (redundant data centers) providing high-availability of information in the event of a physical disaster.
- Entry to AudioEye offices are with badges: either card reader or software token (OpenPath).
Workstations:
- Most employee workstations are property of AudioEye.
- AudioEye workstations only contain AudioEye-approved applications for development.
- AudioEye workstations are restricted at the user-level, are protected by password, and encrypted.
- AudioEye workstations exist in a physical location that remains protected in a locked building.
- AudioEye workstations have an IT managed firewall and anti virus/content filtering software installed, monitored and maintained.
- Only select users are only permitted access to production systems, and only through approved interfaces that have full auditing controls in place.
Technical Controls
When it comes to Technical Security we focus on four key pillars: Access, Integrity, Transmission, and Auditing.
Access:
- Depending on system type, each authorized user of AudioEye’s systems possess either a unique user ID and password; a unique user ID and RSA key; or a unique user ID, password, and Multi-Factor Authentication (MFA) device.
- Users implementing solutions for our clients can only update systems using controls that are specifically designed to limit access, validate permissions to execute commands, and minimize exposure to system architecture.
- Access to critical systems infrastructure is limited to a select group of administrators that do not develop system code.
- All Users are logged off after a period of inactivity, and successive failed login attempts result in a period of system lockout.
- All sensitive data at rest is stored using multiple layers of encryption at both the application and systems layer, and specific access controls have been developed to ensure decryption access is only granted to authorized users.
Integrity:
- Redundant infrastructure exists in multiple availability zones to ensure highly available and accurate access to data.
- All changes that are intended to affect customer websites occur as part of a versioning and publishing process that fully tracks ownership from authoring to publication.
- Electronic data is not destroyed, rather it is archived as outlined via AudioEye’s data retention policy.
Transmission:
- Electronic data is transmitted only upon verification that the site requesting data is approved to receive data from AudioEye.
- All data is transmitted using secure Verisign TLS/SSL channels.
Auditing:
- All actions performed by system administrators, content creators, and publishers are logged in a system that identifies unique users, action taken, and date/time of action.
- All content changes are versioned and published identifying the user authoring the change and allowing for a simple “roll-back” process in the event of a system or user error.
- System access logs allow for client-side access to be logged and monitored.
Administrative Controls
AudioEye’s policies, procedures and methodologies are designed to govern AudioEye employees and ensure business practices guarantee a high level of confidentiality, integrity and availability. Our practices involve key critical components:
- An internal team meets regularly to assess development strategies, review work products, and perform threat analysis.
- AudioEye is implementing a vendor management program to manage third party risk.
- AudioEye software routinely undergoes application security testing (SAST), vulnerability testing and penetration testing (DAST) by independent third parties to ensure we know and understand where our vulnerabilities are and apply risk assessment when allocating resources.
- By Q3 2023 AudioEye will have a statement of compliance with respect to GDPR and CCPA.
All of these policies are detailed more completely in documentation created to specifically address each component and standard, individually. Additional details can be made available upon request.