High Availability AWS Infrastructure

  • Countable leverages Amazon Web Services (AWS) to deliver a scalable cloud computing platform designed for high availability and dependability.
  • AWS uses redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24/7. Beyond this, Countable maintains 3rd party security testing and monitoring.
  • AWS enables Countable to ensure secure transactions between separate data and software applications, data replication across multiple physical data center locations, and to obtain and configure capacity with minimal friction. All client data is held in Canada at this time.

Network Security

AWS provides several security capabilities to increase privacy and control network access, including:

  • Built-in firewalls that allow control over network access
  • Encryption in transit with TLS across all services
  • DDoS mitigation technologies
  • Physical security
  • 24/7 physical security guard services
  • Physical entry restrictions to the property and the facility
  • Full internal and external CCTV facility coverage
  • Biometric readers with two-factor authentication
  • Facilities are unmarked as to not draw attention from the outside
  • Battery and generator backup
  • Generator fuel carrier redundancy
  • Secure loading zones for delivery of equipment
  • Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.
  • Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. We consider any system that houses our customer’s data to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.
  • Hard drives and infrastructure are securely erased before being decommissioned or reused

Access Monitoring:

Countable leverages AWS CloudFront to enable continuous monitoring of our production environments. Our logging includes system actions as well as access and commands issued by our system administrators.

Logs are reviewed to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.

    Audit Logging:

    All database transactions are logged using a user identification number, IP address, timestamp, and information about the action performed.

      Employee Access:

      Countable leverages AWS IAM access control management when issuing access to all environments. AWS uses 2048-bit SSH-2 RSA keys and are regarded as an industry standard. Countable implements internal processes for issuing and recalling keys from authorized employees.

        Employee Access:

        All data is encrypted in transit with TLS, using a 2048-bit key, signed using the SHA256 RSA industry standard algorithm. Data at rest (residing in our data centers) is encrypted using the industry standard AES-256 algorithm. All data is stored securely on servers located in Canada, and meets Canadian data compliance requirements for certain industries such as the financial and public sectors.

        Snapshot and Backup Security:

        Countable retrieves, encrypts, and stores backups of our production data storage systems approximately every 3 minutes. These backups reside within our data centers for security and compliance purposes.

        Attestations and Certifications:

        All AWS data centers meet and exceed the strictest of certification and compliance laws.

        Attestations and Certifications:

        All AWS data centers meet and exceed the strictest of certification and compliance laws.

        These include but are not limited to:

        • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
        • SOC2
        • SOC3
        • FISMA, DIACAP , and FedRAMP
        • DOD CSM Levels 1-5
        • PCI DSS Level 1
        • ISO 9001 / ISO 27001
        • ITAR
        • FIPS 140-2
        • MTCS Level 3

        Application Development.

        Countable employs SDLC practices combined with internal controls to give users peace of mind. Developers run a battery of tests against all change requests spanning multiple environments to ensure consistency and backward compatibility.

        Release management and deployment is branched to backup and maintain architecture versioning, ensuring the ability to back out of changes at any point. Token based authentication provides Countable administrators total control over access and access expiry

        Attestations and Certifications:

        Countable has service level agreements in-place with our infrastructure and monitoring vendors. AWS provides a 99.99% uptime guarantee across all services and applications that Countable leverages.

        Financial Transactions.

        Countable uses Stripe as our credit card storage and processing vendor. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

        All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure and doesn’t share any credentials with Stripe’s primary services.