At Paraglide, we take security and data protection seriously. This document outlines our comprehensive approach to protecting your data and maintaining the highest security standards.
Access Control
Our access control measures ensure that only authorized individuals can access our systems and data. Access is always granted according to the principle of least privilege.
Authentication & Authorization
Role-based access control (RBAC) is enforced for all users
Multi-factor authentication (MFA) is required for all production access
Access to production systems is restricted to authorized personnel only
Separate AWS accounts are maintained for production and staging environments to ensure isolation and reduce risk
Onboarding & Offboarding
Access is provisioned only with manager approval and based on the principle of least privilege
New employees are required to enable MFA before access is granted
Access is revoked immediately (within 24 hours) upon termination or role change
User permissions are reviewed on a quarterly basis
Monitoring & Logging
All administrative access to production systems is logged
Access events are monitored for unusual or unauthorized activity
Data Security
We apply strong technical and organizational measures to protect data, ensuring confidentiality, integrity, and availability.
Encryption
All external connections terminate at our load balancers, which enforce modern TLS policies (TLS 1.2/1.3 only)
All connections between application services and databases (AWS RDS) use SSL/TLS encryption
Encryption keys are managed by AWS KMS
Environment Separation
Production and non-production environments are isolated in separate AWS accounts
Test data does not include real customer personal data
Data Protection
Access to sensitive data is limited to authorized personnel only
Administrative access requires MFA
Customer data is never stored on employee devices
Data exports and transfers are protected using secure protocols
Monitoring & Logging
We actively monitor our systems and log critical events to detect and respond to unusual activity, supporting both operational oversight and security compliance.
All administrative and production system access is logged
Application and system events are captured in centralized logging
Logs are retained for 90 days to support auditing and investigation
Security and operational alerts are configured to detect unauthorized or anomalous activity
Key infrastructure metrics (CPU, memory, disk usage, service availability) are monitored continuously
Backups & Recovery
We ensure the availability and recoverability of critical data and systems through regular backups and disaster recovery practices.
Backups
Automated backups of production data are performed daily
Backups are encrypted at rest using AWS KMS
Backup integrity is periodically verified to ensure data can be restored
Services and databases are deployed in Multi-AZ configurations to ensure high availability
Backups and snapshots are replicated across multiple AWS regions for disaster resilience
Recovery & Disaster Recovery
Disaster recovery objectives:
Recovery Point Objective (RPO) = 1 hour
Recovery Time Objective (RTO) = 1 hour
Restoration procedures are documented and tested periodically
Separate environments (production, staging) help minimize impact of failures
Incident Response
We maintain a documented incident response plan to ensure timely detection, investigation, and mitigation of security and operational incidents.
Detection & Reporting
Security events and anomalies are monitored continuously through AWS CloudWatch and AWS GuardDuty
Alerts are generated for unusual activity, including unauthorized access attempts or system failures
Employees can report potential security incidents via internal channel chat
Response & Escalation
All incidents are triaged and escalated to designated response personnel according to severity
High-severity incidents trigger immediate action, including containment and mitigation steps
Incident owners document actions taken and lessons learned for future prevention
Notification & Communication
Clients and regulators are notified of confirmed data breaches within 72 hours, in line with GDPR and UK GDPR requirements
Internal stakeholders are informed promptly for operational continuity
Review & Improvement
Post-incident reviews are conducted to identify root causes and preventive measures
Policies, procedures, and monitoring rules are updated as necessary to prevent recurrence
Change Management
We maintain controlled processes for deploying changes to ensure system stability, security, and traceability.
Development & Review
All code changes are made via GitHub pull requests (PRs)
PRs require review and approval before merging into main branch
Deployment & Release
Continuous Integration / Continuous Deployment (CI/CD) pipelines are implemented via GitHub Actions
Deployments to production require a manual trigger, ensuring human oversight
A rollback job is available to revert changes quickly in case of issues
Documentation & Audit
All deployments are logged, including author, reviewer, and timestamp
Deployment and rollback procedures are documented and periodically reviewed
Privacy & Compliance
We handle personal data in accordance with applicable data protection regulations and best practices.
Data Protection & Regulations
Compliant with GDPR (EU) and UK GDPR
Also aligned with other relevant privacy laws (e.g., CCPA, if applicable)
Data Processing & Sub-processors
Data is processed only for the purposes defined in our services agreement
All sub-processors are vetted and contractually bound to adhere to data protection requirements
Data Subject Rights
Processes are in place to handle requests for access, correction, deletion, or export of personal data
Requests are fulfilled within statutory timeframes as required by law
Contracts & Agreements
A Data Processing Agreement (DPA) is available for all clients
Data breach notification procedures ensure timely communication to regulators and affected individuals