Infrastructure
Network Architecture
BWith AI's network architecture is built according to AWS best practices, including separating public and private subnets.
-
BWith AI uses Cloudflare as a CDN provider to prevent DDoS attacks and brute-force attacks.
-
Load balancers reside in the public subnet, while internal network components such as the web application servers and databases reside in the private subnet, and have no public IPs assigned to them.
-
A Web Application Firewall (WAF) is in place for content-based dynamic attack blocking.
Hosting Providers
To achieve high availability and resiliency, our service is hosted on Amazon Web Services (AWS) infrastructure in North America. In the AWS Shared Responsibility Model, AWS manages the security of the cloud computing infrastructure, while BWith AI manages the security of the software and data residing on the cloud computing infrastructure. All requests to the application servers are routed through Cloudflare which acts as a firewall.
Data Center Security
The BWith AI infrastructure is 100% cloud based, and hosted by data centers with the highest level of certifications including ISO 27001 and SOC. For more compliance information, you can visit AWS Security and AWS Compliance.
Data Encryption
BWith AI uses the following encryption:
-
Encryption in transit: Data in transit across open networks is encrypted using TLS 1.3 (at minimum, TLS 1.2)
-
Encryption at rest: Data at rest is encrypted using AES-256. Encryption keys are stored using AWS Key Management Service (KMS).
-
Tenant separation: Our environment is multi-tenant with logical separation between customers. Customer data is segregated at the application level using unique IDs that are the result of a combination of several parameters.
Scalability and Reliability
Microservices architecture is utilized to ensure minimal impact on system health in the case of failure of one or more components.
-
The BWith AI service is fully containerized, which allows a highly scalable infrastructure, suitable for dealing with increasing customer demand while providing a quality experience for end-users.
-
Infrastructure-as-code is widely used via Terraform to ensure audibility and maintainability of infrastructure resources.
-
We constantly monitor our service performance and have automatic notifications to ensure rapid response for service interruptions.
-
All code is audited and peer reviewed before deploying to production servers.
-
We proactively protects against denial-of-service (DoS) attacks using CloudFlare’s advanced distributed DoS protection.
Security
Vulnerability Testing
BWith seeks out and proactively addresses vulnerabilities in our code and dependencies through automated tools, peer-review and penetration tests. All public access to our applications is proxied through Cloudflare which detects and automatically blocks unexpected traffic. Contact us to submit a bug to our bug bounty program.
Access Procedures
We maintain automatic access and security logs. All employees are required to use two-factor authentication and strong passwords that are unique from other services. Customer data access is limited, and is allowed only to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and require public key authentication. Individual employee access follows a principle of least access, and access rights are reviewed quarterly.
Application Development
New features, performance improvements, and bug fixes are deployed multiple times per week. We rely on a strict system for code quality and security. All code is peer reviewed, and requires multiple levels of acceptance on test/staging environments prior to deployment on production. Changes are checked for security and errors via extensive unit, integration, and static analysis tests. Production data is separated from development environments.
Access to Production
Access to production assets is granted based on role and in accordance with the need-to-know and least privileges principles. Administrative privileges are provided only to a small and limited team of developers. All access to the BWith AI servers is through a VPN.
Privacy
Decommissioning and Data Removal
All customer data is stored on AWS services, which follows a strict decommissioning policy outlines on page 8 of their security whitepaper:
"AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process."
For customer-specific data, we will manually remove all identifying calendar data associated with your account from our database on request. Any anonymized data will not be removed, as it cannot be linked back to source data. User accounts associated with your organization may also be removed on request.
Financial Information
We do not store any credit card or other financial information on our servers. We do not store any data with regulatory requirements, such as HIPAA or PCI.
Privacy Policy
We have a strict policy to respect the privacy of sensitive customer data: we will never share any of your data, and we will not contact your employees without explicit permission. Our support team will only access your account in the event of a technical support issue that requires real-time access.
You can see our detailed privacy policy here
Access Management
BWith uses role-based administration to allow customers to provide the right BWith access to specified team members on global- or location-specific levels. And SAML can be utilized to integrate with your single sign-on identity provider to further regulate access.
Contact
How to Contact Us
We know these issues are important to you too. If you have any additional questions that aren't answered above or by the help center, please email security@bwith.ai and we'll reply as fast as we can.
If you believe you've found a security vulnerability while using BWith, we'd also like to hear from you. Fixing problems quickly and responsibly is incredibly important to us.