Security at Cord
Cord’s SDK lets you add communication and collaboration functionality such as presence, commenting and engagement seamlessly, to your application.
Data security is fundamental to our goal of making software more collaborative. Our software product and its infrastructure were designed from the ground up with security and privacy by design, and our software development processes follow industry best practices, so that you can be assured your data is safe and secure.
SOC 2 Certified
Cord is SOC 2 Type II certified. Our SOC 2 independent audit was completed by BARR Advisory, P.A., a firm certified by the American Institute of CPAs (AICPA). The Type II audit is the most robust type, proving a sustained period of compliance with consistent, reliable safeguards to protect our customer’s data. Cord is committed to carrying out an annual SOC 2 audit, with this year’s report due in November 2023.
If you’re interested in reviewing our SOC 2 report please contact us to receive an MNDA to sign, followed by the report.
Your data is encrypted in transit and at rest, with strong cryptography standards following NIST guidelines. We use TLS version 1.3, and AES 256 bit to encrypt data.
Our staff is highly trained in secure development, with engineering leaders and team members having spent a decade or more in infrastructure engineering at companies like Google, Meta, Lyft and others. We have ongoing live vulnurability scanning with Snyk and ongoing monitoring of our services. Our code review standards mean all code is reviewed as part of our Software Development Life Cycle (SDLC) policies, and segregated development and production environments run comprehensive, automated tests before our code is live in customer’s apps. Our incidence response and SLA policies ensure we can inform of, contain and resolve any issues that arise quickly, maintaining the integrity, confidentiality and privacy of the service.
For our penetration and intrusion testing, we utilise a reputable independent, third-party company, HackerOne. We are proud that intensive testing have found no exploitable vulnerabilities in Cord’s API and services. If you’re interested in reviewing our pen testing report please contact us to receive an MNDA to sign, followed by the report.
Data Center Security
Cord’s services run on Amazon Web Services (AWS). You know, like half the internet. AWS’s security is well-regarded as some of the best in the industry, including certification such as PCI-DSS, HIPAA, SOC3 and more. AWS’s cloud is fully redundant and has industry leading disaster recovery protocols. Within AWS, we run in a separate VPC with strict firewall rules, monitoring and secure, limited access, that prevent unathorized network requests into our network.
Strict access controls and policies prevent access to your data by anyone outside and including Cord employees, except in the case of severe incidents and outages where specific engineering staff members will receive access and the instances will be reported to you. Our team is using separate, secure hardware to access Cord systems, that is kept continually monitored and up-to-date with the latest security patches and malware protection. Our staff undergo background checks, regular security training, and are under strict confidentiality agreements.
You can read more in our full Security Policy.
GDPR and Data Privacy
Cord considers your data as belonging to you and your clients. We will never sell or share the data you and your users have created in Cord: Our business is providing a safe, secure and private way for your clients to communicate within the boundaries you set using our SDK.
Reliability, Availability and SLAs
Cord understands that the availability of our services is part of the expectation you have in utilising our services, and we strive to not let your users down. As part of this, we have multiple redundancies, we back up all of the data daily, and automated monitoring alerts a dedicated team of on-call engineers available 24/7 every day of the year. We have documented, rigorous incident response and disaster recovery protocols which we rehearse at least annually.
Our historical system uptime and current status are updated in our status page, where you can also subscribe notifications about the availability of the services.
If you have an commercial agreement with us, we are happy to guarantee certain service levels (SLAs) for our uptime, incident response times and support availability. We have historically had >99.9% availability. We will give you notice of any planned downtime for system maintenance, but we have never had to do so thus far, and our services are built with the assumption of being always-on. You may read more in about our SLAs for customers
Cord is trusted by many partners, including public companies, companies handling sensitive data including financial data and other sensitive industries. We are proud of these partners trusting us with the safety and confidentiality of their and their client’s data.
To report a potential vulnurability, or for any other question, you can contact our security team at email@example.com. To send us encrypted email, download our PGP key. We do not run a bug bounty program at this time.
Apr 2nd, 2023