We at Swell focus on our platform’s security, availability, and performance. View our DPA.

Information Security and compliance

Swell maintains a robust Information Security program that consists of policies, procedures, and controls to maintain the confidentiality, integrity, and availability of information and information assets.

Swell has a strong information security program made up of policies, processes, and controls to protect the privacy, availability, and integrity of data and information assets.

Policies, practices, and standards of Compliance Swell are in line with relevant security standards, including SOC2, ISO27001, HIPAA, GDPR, and PCIDSS.

Privacy

Swell respects privacy and is committed to protecting the privacy of our customers’ data and applying industry best practices to protect it. Swell does not sell or trade your personal information and fully adheres to GDPR's privacy obligations. Our full privacy policy is available here.

Protecting Data

All customer data is encrypted in transit over the network via TLS and at rest in our databases. Any credit card transactions are processed on networks that adhere to a PCI DSS standard. Personally Identifiable Information (PII) and sensitive data are not captured in logs. Data is backed up regularly to different geographic regions within our cloud providers to ensure resilience from a regional outage. You can see the health of our systems via the Swell status page.

Encryption and Logical Separation

All data is encrypted at rest and stored in the Cloud Service.. This is accomplished using industry standards for enterprise-grade encryption that are applied to the storage backend. With the proper encryption standards for data in motion, communications between the Customer's endpoints and the Cloud Service are encrypted in transit.

Data between clients is logically separated by the Cloud Service (AWS).

Infrastructure Access Management

Least Privilege

Access to the systems and infrastructure that support the Cloud Service (AWS) is restricted to individuals who require such access as part of their job responsibilities.

Only individuals who need such access as part of their job duties have access to the infrastructure and systems that enable the Cloud Service.

Unique User IDs are assigned to such individuals as part of their hiring and onboarding process.

Password Requirements

The password policy for the Cloud Service adheres to Swell password requirements and is in accordance with industry standards and best practices.

Access Reviews

Access reviews are performed on a periodic basis, Access privileges of terminated Swell personnel are disabled promptly. Access privileges of persons transferring to jobs requiring reduced privileges are adjusted accordingly.

Periodically, access credentials are reviewed, and access privileges of terminated employees are deactivated swiftly. Access rights of individuals transitioning to roles that require less access rights are adjusted accordingly.

Remote access review & networking

All-access to the Cloud Service networks and sensitive information requires authentication and other access-related security controls such as MFA and regularly rotated keys.

Vulnerability Management

The latest applicable patches and updates are applied promptly after becoming available and being tested in the Cloud Service’s pre-production environments.

Security Operations monitors or subscribes to trusted vulnerability reports and threat intelligence sources.

At least once a year, independent third parties conduct penetration testing to highlight application-related vulnerabilities. Only Swell personnel who need to know are provided access to the full findings of external penetration testing. In compliance with any non-disclosure agreements, redacted summaries are provided to customers

Secure Software Development

Based on industry standards like the OWASP, the Swell Software Development Life Cycle (SDLC) architecture ensures that secure design principles are included right into the design and development process of the Swell systems.

Risk Management

Swell maintains a risk management program based on industry guidance.

Annually, Swell conducts a risk assessment to ensure risks are appropriately defined and controls are applied accordingly.

Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.

Security Training and Personnel

For the benefit of its employees, Swell maintains a security awareness program that offers initial training, continuous awareness, and individual staff acknowledgment of the desire to abide by Swell's corporate security rules.

New hires complete initial training on security, sign a proprietary information agreement, and digitally sign the information security policy that covers key aspects of the Swell information security policy.

All Swell personnel are required to complete security training annually satisfactorily.

Notification of Security Breach

Swell will notify customers in writing within seventy-two (72) hours of a confirmed security breach.

Notifications will summarize the known details of the Security Breach and the status of Swell’s investigation.

Swell will take appropriate actions to contain, investigate, and mitigate any such Security Breach.

Availability and Disaster Recovery

Swell maintains a Disaster Recovery Plan (DRP) for the Cloud Service. The DRP is tested annually.

In addition, Swell has policies, practices, and security controls in place to guarantee that crucial company operations will continue in the case of a catastrophic disaster. For the Swell Cloud service, this involves data redundancy and resilient data centers.

Vulnerability Reporting

In accordance with reasonable disclosure, we continue to respond to submitted security issues and encourage anyone to report bugs on our platform.

To submit a bug for review, please send an email to [email protected]