Security

Overview

At Beauty Within. protecting client data is one of our top priorities. Here we outline some of the key operational and procedural controls we’ve put in place to help protect your data.

Our software utilizes AWS as our cloud infrastructure provider. A large portion of the technical controls are implemented within our software providers AWS environment unless specified otherwise.

Our Engineers

Our internal infrastructure and security teams include highly experienced engineers who play a pivotal role in building, auditing and maintaining secure infrastructure and systems.

Best Practices

Logging & Monitoring

  • We have comprehensive internal logging and monitoring procedures which allow us to audit and monitor events
  • We utilize internal AWS threat-monitoring tools to ensure we are alerted promptly to any anomalous or malicious actions from outside actors
  • We have internal processes that alert engineers to both security and outage events

Identity and Access Management

  • We follow strict internal access policies which help ensure that only authorized systems and people can access or work with production data
  • We conduct regular permissions audits of internal and third party systems to ensure we adhere to a least privilege principle

Encryption

  • We encrypt your data at every opportunity; whilst it’s in transit, in use and at rest, meaning your data is safe at every stage

Build Process Automation

  • Internally, we utilise an automated build pipeline. This allows us to roll out changes and updates efficiently whilst providing adequate logging and auditing capabilities

Infrastructure

  • All our software infrastructure runs in the cloud (AWS). We do not own or run any internal physical or on-prem hardware/servers
  • We have infrastructure across multiple AWS availability zones, which helps provide resilience and redundancy
  • Traffic to and from our infrastructure is protected using finely tuned access control lists (ACLs) which only allows access from explicitly specified ACL entries
  • AWS additionally provide a number of security controls that helps protect our cloud based resources
  • We protect web based resources using both web application firewalls (WAF) and a rate limiting based approach where possible
  • We employ a robust and comprehensive backup strategy using both full and incremental backups
  • We take an automated approach to building and deploying infrastructure, allowing us to easily audit our infrastructure as code and also make quick changes and fixes when required

Data

  • Beauty Within adheres to GDPR compliance requirements and are certified HIPAA-compliant
  • Production data is stored securely within our AWS environment. To protect this data, we employ encryption as well as multiple access and permissions controls
  • The only entities that access your data are you and, in some cases, authorized support engineers whenever they are assisting with a query or technical issue
  • We endeavors to retain data for the shortest amount of time required to conform with regulatory and regional data retention standards
  • Additional information related to AWS compliance and certifications can be located here

Payment Card Information

  • We do not directly store any credit card or payment information
  • We use Stripe to securely process card transactions, Stripe is one of the biggest payment platforms in the world and as such has the highest level of PCI compliance
  • Nobody at Beauty Within can see or access payment or credit card information
  • Alongside the highest level of PCI compliance, Stripe also:
    • Encrypts all card numbers
    • Prevents internal Stripe systems from accessing card data
    • Only allows secure communication over HTTPS/TLS
    • Regularly audits its processes and infrastructure

Security Audits

  • Internally we review and audit our security controls on a near daily basis. This approach allows our engineers to continuously audit ourselves to ensure we address any potential gaps
  • We engage with external auditors to conduct periodic penetration tests of internal and external infrastructure
  • We work with external auditors to remediate or implement any findings or security recommendations they provide
  • We work towards an annual security strategy which aims to perpetually improve upon security initiatives

Education

  • All staff are educated on current and emerging cybercrime trends
  • Internally, we conduct periodic security exercises to uncover and close any gaps in education