We take security of your data very seriously. We do realize that data is one of the most valuable assets you have these days. As we think that transparency is important principle in the context of security, we aim to be as clear and open as we can about the way we handle security and data privacy.
Our main goal in the context of Security is to ensure that CIA (Confidentiality, Integrity and Availability) triangle is in place. Our staff has important role in this mission and we place strict controls over our employees and internal processes.
We perform background checks during hiring process of each future employee. Each employee has to take security and data privacy training with our Security Manager. Training is focused on how to securely use our internal tools, how to handle sensitive information and significant part of the training is a workshop and discussion about social engineering, phishing and physical security. All employees are committed to ensure that Customer Data is not seen by anyone who should not have access to it. The operation of the Slido requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose an issue which you are having while using our services, we may need to access your Customer Data. We use logical restrictions on the application layer to ensure that everyone has only access to that piece of Customer Data which is needed to perform his/her job duties. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.
In addition to the work we do at the infrastructure level, we provide event Administrators of paid versions of Slido services with additional tools & settings to enable their own users to protect their Data:
Slido provides Customer Data export capabilities. Event Administrators are able to export questions as well as polls with complete results via Admin page.
Upon the Customer request it is possible to delete Customer Data after the event. This request is usually processed within 24 hours. Our Customer Support will be happy to discuss details about export capabilities as well as information regarding the Customer’s data deletion.
Slido is hosted within AWS (Amazon Web Services) infrastructure. Currently our servers are located in Dublin, Ireland. We might expand our servers to different regions within AWS infrastructure. The AWS environment that hosts Slido services maintains multiple certifications for its data centers, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website (https://aws.amazon.com/security/) and the AWS Compliance website (https://aws.amazon.com/compliance/).
When it comes to architecture, we use multiple tiers within our stack. Each function / service is limited to operate only within a specific tier and each tier provides services only for function intended for that tier.
Slido services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. Customer Data is also encrypted at rest.
We monitor changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.
Approximate availability of Slido services is at 99.95%. Our infrastructure runs on systems that are fault tolerant for failures of individual servers. Our operation team tests disaster recovery measures regularly. Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up on regular basis.
Our solution is monitored on several levels. We use infrastructure as well as application monitoring tools. In combination with specialized tools for analysis and data visualization it gives strong insights about in what condition our services are. Slido maintains an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about Slido services.
Our security team is responsible for incident management and response. On daily basis primary goals are:
In the event of a security breach, Slido will promptly notify you of any unauthorized access to your Customer Data. Slido has incident management policies and procedures in place to handle such an event.
We contract with respected external security firms who perform regular audits of the Slido services to verify that our security practices are sound and to monitor Slido services for new vulnerabilities discovered by security research community. The most recent report from the audit is available upon customer request.