Information Security

Your Data is Safe

At Airbridge, we place serious attention in securing our infrastructure and adhere to industry security standards to protect your organization's data.

Protecting your Privacy and Data

Our commitment to keeping your data secure is our number one priority. We continuously invest significant time and resources to monitor and adjust to the latest threats through our robust security frameworks, procedures, and policies. Data in Airbridge is protected with multiple layers of protection including access control, data encryption, network infrastructure security, asset security management, cloud product security, physical security, human security, monitoring and reporting protocols. Third-party security assessments are conducted to ensure that our security frameworks, procedures, and policies are maintained at the highest rigour and standards.

Compliance

AB180 Inc. complies with the relevant laws and regulations for the safe provision of Airbridge. In addition, we are strengthening information protection capabilities and enhancing service safety by audited the level of information protection management systems every year by world-class international certificate authority.

ISO/IEC 27001 is an international standard certification for information protection management systems established by the International Organization for Standardization ISO and the International Electrotechnical Commission (IEC). AB180 Inc. obtains and maintains certification for the overall planning, development, and operation of Airbridge services.

Key Features

Product

  1. Access Control
    We control the access to the app by providing three different accounts: 'App Owner,' 'In-house Marketer,' and 'Agency' accounts, each with different level of permission.
  2. Protecting Passwords and Sensitive Data
    Sensitive data including users' passwords are encrypted then stored safely. In particular, passwords are encrypted using PBKDF2(Password-Based Key Derivation Function 2) then stored.
  3. Opt-Out on Sending Privacy Data
    For complying the <Privacy Act> of the Republic of Korea and the <General Data Protection Regulation (GDPR)> of the EU, You can use 'Opt-Out' feature for restrict sending the privacy data.

Infrastructure & Network

  1. Infrastructure on AWS
    1)  All Airbridge services run in the cloud. Airbridge does not run our own routers, load balancers, DNS servers, or physical servers.
    2)  We are using Amazon Web Services(AWS) Cloud and all infrastructure is located in AWS Tokyo region. As part of AWS's privacy policy, the location of the data center is not disclosed. Therefore, all Airbridge infrastructure operates on the basis of AWS' physical and environmental security policies. For more information, see the Security Policy page at on AWS.
    3)  Airbridge operates on at least two Availability Zones for Business Continuity and Disaster Recovery.
    4)  Airbridge complies with AWS Shared Responsibility Model and Security Best Practices as best as possible.
    5)  For more information on AWS's compliance programs, please see here
  2. Regular Vulnerability Inspection & Patch
    1)  Using AWS Inspector, we regularly inspect for known security vulnerabilities in all instances' OS level and application level.
    2)  Softwares and Libraries with security vulnerabilities are patched to the latest version in a way that is compatible with the existing systems.
    3)  All server instances operate based on standard OS images with system hardening, including default security settings.
  3. VPC & Security Group
    All servers are separated from external networks and operate in AWS's VPC(Virtual Private Cloud). We prevent unauthorized external access using multiple systems, including Security Group.
  4. Real-time Network Monitoring with Intelligent Threat Detection System
    Using AWS GuardDuty, an Intelligent Threat Detection System, we monitor Network Flow Logs, DNS Logs, AWS Console Access & API call Logs real-time.

Data Storage, Transfer, Permissions & Access Control

  1. Encrypted Storage on Cloud
    All user data is stored in AWS Infrastructure located in Tokyo Region. Sensitive data is encrypted using AWS SSE-S3(AES-256) and stored, and data decryption and access log are recorded and audited.
  2. Encrypted Transit
    All data trainsits are encrypted with encryption protocol(HTTPS) which uses SSL/TLS and includes TLS 1.0, 1.1 and 1.2
  3. Regular Back-up
    We regularly back-up data to prevent data loss.
  4. Access Control
    All employees can only access data for appropriate business purposes after the CISO's approval and must receive education in handling sensitive data. Existing access permission is assessed to check if appropriate for the job and managed periodically.

Application & Development

  1. Complying S-SDLC(Secure Software Development Life Cycle)
    We comply with S-SDLC(Secure Software Development Life Cycle) in every stages of planning, development, testing, deployment and operation to guarantee security, stability, and reliability.
  2. Automated Testing and Deployment
    All applications can only be deployed on Production Stage after automated testing. Therefore, if a single test fails, the new feature is not deployed. This process guarantees fast feature development and product stability.

Application Monitoring, Business Continuity & Disaster Recovery

  1. Real-time Monitoring about System Status
    We monitor all systems and components of all data pipelines in the infrastructure 24/7/365 to minimize damage in failures and breaches, and to recover them as soon as possible. In particular, we manage failures by tickets using third-party tools like PagerDuty so that engineers can quickly resolve the issue. Customers using our service can always check the system status and planned system maintenance at System Status Page
  2. Monitoring for Sensitive Data
    Access, modifications and downloads are all recorded and audited regularly.
  3. Risk Assessment
    Regularly assess technical & non-technical risks depending on frequency, effect of risk and the importance of asset to progressively remove risk according to DoA(Degree of Acceptance).
  4. Building DR(Disaster Recovery) Scenario
    We build Disaster Recovery scenarios and regularly train related employees.

Security Audits

  1. Internal Audit
    Under the CISO's lead, we conduct internal audits of technical and non-technical data protection logs daily, weekly, monthly, quarterly, semiannually or annually, depending on the task.
  2. Third-Party Audit
    If a third-party is in charge of development, infrastructure maintenance, or personal information processing, we thoroughly audit to check if the privacy and personal data protection procedure standards are met.
  3. Regular Pen-Test
    We conduct product pen-test in accordance to SDLC and regular internal pen-tests. We also pen-test the entire system once a year with a trusted third-party security company.

Physical & HR

  1. Education and Training
    Conduct enterprise security education and advanced education for employees handling personal information at least once a year.
  2. Security Policies
    All information security compliance is defined and published in internal policies, guidelines, and procedures documents. Policies documents are managed by the information protection committee composed of in house C-Levels including the CEO, and the information protection committee checks every month if the policies are complied.
  3. Information Protection Pledges
    All employees and outsourced employees must prepare information protection pledges when they sign an employment or service contract, to define their responsibility for information protection according to their work.
  4. SSO & 2FA
    External solutions used by executives and employees (e.g. GSuite, GitHub, AWS) must activate SSO and 2FA to prevent accidental hacking incidents.
  5. DLP & Anti-virus
    All business PCs are protected from MalWare with a centrally managed Anti-Virus solution, and Data Loss Prevention (DLP) solutions help prevent data leakage.

Customer Responsibilities

  1. Do not leak Airbridge log-in information and token values. If you think the data has been leaked, please let the AB180 Security & Privacy team know immediately.
  2. Please make sure to log-out after using our service in public PC.
  3. Do not share one log-in account with others. If multiple users need to access the Airbridge Dashboard, please do so with feature.
  4. Only invite a new App Admin when absolutely necessary. When inviting an Agency as App Admin, the customer might request the agency for documents such as a security pledge, in accordance with the customer's compliance. Please regularly delete App Admin accounts that are no longer required.
  5. Please regularly audit Airbridge Dashboard's Activity History to prevent and monitor accidents. If you find an unintended action, please let the AB180 Security & Privacy team know immediately.
  6. Please comply the data protection laws to legally consign and store user data in Airbridge. In particular, if you are providing service in Korea, you must get agreement about 'Personal Information Processing Consignment' and 'Personal Information Transfer' according to the Privacy Act. Also if you are providing service in EU area or to EU citizen, you can not send the privacy data to Airbridge without certain agreement from the user. If you do not have agreement, you must use the Opt-Out feature on Airbridge SDK.
  7. Do not send the privacy data of children under 14 years old using the SDK's Opt-Out feature.
  8. Do not perform Airbridge System pen testing, security vulnerability check, and etc. without the approval of AB180 Security & Privacy Team.