Security Standards

These Security Standards are effective as of July 12th, 2016


Confidentiality

We take security of your data very seriously. We do realize that data is one of the most valuable assets you have these days. As we think that transparency is important principle in the context of security, we aim to be as clear and open as we can about the way we handle security and data privacy.

Detailed information about what we consider as a Customer Data and how it is used you can find in our Privacy Policy (https://www.sli.do/terms-policy#/pp)

Staff Practices

Our main goal in the context of Security is to ensure that CIA (Confidentiality, Integrity and Availability) triangle is in place. Our staff has important role in this mission and we place strict controls over our employees and internal processes.

We perform background checks during hiring process of each future employee. Each employee has to take security and data privacy training with our Security Manager. Training is focused on how to securely use our internal tools, how to handle sensitive information and significant part of the training is a workshop and discussion about social engineering, phishing and physical security. All employees are committed to ensure that Customer Data is not seen by anyone who should not have access to it. The operation of the Slido requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose an issue which you are having while using our services, we may need to access your Customer Data. We use logical restrictions on the application layer to ensure that everyone has only access to that piece of Customer Data which is needed to perform his/her job duties. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.

Security and Data Privacy Product Features for Administrators

In addition to the work we do at the infrastructure level, we provide event Administrators of paid versions of Slido services with additional tools & settings to enable their own users to protect their Data:

  • Privacy level of an event (public / hidden / private)
  • Attendee authentication:
    • Passcode
    • Google SSO (Google oAuth)
    • SAML based SSO – e.g. OKTA

Data Manipulation

Slido provides Customer Data export capabilities. Event Administrators are able to export questions as well as polls with complete results via Admin page.

Upon the Customer request it is possible to delete Customer Data after the event. This request is usually processed within 24 hours. Our Customer Support will be happy to discuss details about export capabilities as well as information regarding the Customer’s data deletion.

Infrastructure

Slido is hosted within AWS (Amazon Web Services) infrastructure. Currently our servers are located in Dublin, Ireland. We might expand our servers to different regions within AWS infrastructure. The AWS environment that hosts Slido services maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website (https://aws.amazon.com/security/) and the AWS Compliance website (https://aws.amazon.com/compliance/).

When it comes to architecture, we use multiple tiers within our stack. Each function / service is limited to operate only within a specific tier and each tier provides services only for function intended for that tier.

Data Encryption

Slido services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. Customer Data is also encrypted at rest.

We monitor changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.

Availability and Disaster Recovery

Approximate availability of Slido services is at 99.95%. Our infrastructure runs on systems that are fault tolerant for failures of individual servers. Our operation team tests disaster recovery measures regularly. Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up on regular basis.

Monitoring and Logging

Our solution is monitored on several levels. We use infrastructure as well as application monitoring tools. In combination with specialized tools for analysis and data visualization it gives strong insights about in what condition our services are. Slido maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about Slido services.

Incident Management and Response

Our security team is responsible for incident management and response. On daily basis primary goals are:

  • Proactively review security related logs and search for any sign of security incident or vulnerable part of system.
  • React to security incidents according to our Security Incident Reporting and Response Policy.

In the event of a security breach, Slido will promptly notify you of any unauthorized access to your Customer Data. Slido has incident management policies and procedures in place to handle such an event.

External Security Audits

We contract with respected external security firms who perform regular audits of the Slido services to verify that our security practices are sound and to monitor Slido services for new vulnerabilities discovered by security research community. The most recent report from the audit is available upon customer request.


Contact Us

If you have any additional questions regarding security, we are happy to answer them.
Please contact us at security@slido.com and we will respond as quickly as we can.