The highlights of our security program are given below:
Security Governance
Abacus.AI’s Information Security Committee (ISC) is a governing body consisting of cross-functional
management representatives led by the Chief Information Security Officer (CISO). The ISC meets on a
regular basis to advise, prioritize, and enable the Information Security Program. The risk-driven
Information Security Program includes administrative, technical, and physical safeguards to align
with applicable requirements, standards, and best practices. Abacus.AI maintains a comprehensive
suite of information security policies that is regularly reviewed, updated, and approved on a
predefined schedule.
Risk management serves as the foundation of Abacus.AI’s Information Security Program with a Defense
in Depth (DiD) approach. We conduct industry-standard security risk assessments periodically to
identify, analyze, monitor, and respond to risk. Our multi-faceted approach also includes using
multiple sources of input such as vulnerability assessments, penetration testing, and other forms of
security reviews to capture the holistic state of our security posture. Risk treatments are
strategically planned and prioritized with key stakeholders to ensure alignment with security and
business objectives. Cross-functional collaboration with the ISC is integral for the effective
review and management of information security risk.
People Security
Employee background checks
Before onboarding new staff, Abacus.AI verifies an individual’s education and previous employment,
and performs internal and external reference checks. Where local labor law or statutory regulations
permit, Abacus.AI may also conduct criminal, credit, immigration, and security checks. The extent of
these background checks is dependent on the desired position.
Security training for all employees
All Abacus.AI employees and contractors undergo security training as part of the orientation process
and receive ongoing security training throughout their tenure. During orientation, new employees
must read and agree to the Abacus.AI Acceptable Use Policy (AUP) and Code of Conduct, which
highlights our commitment to keep customer information safe and secure. Depending on their job role,
additional training on specific aspects of security may be required. For instance, the information
security team instructs new engineers on topics like secure coding practices, product design and
automated vulnerability testing tools. We also cover topics like phishing, ransomware, social
engineering etc. topics.
Operational
Security
Access Management
For Abacus.AI employees, access rights and levels are based on their job function and role, using
the concepts of least-privilege and need-to-know to match access privileges to defined
responsibilities. All our personnel are required to use multi-factor authentication and strong
passwords. Access to production infrastructure is strictly controlled using a bastion host (jump
box) with user-unique SSH keys and token-based two-factor authentication for server-level
authentication. Employee access to both corporate and production resources is subject to an
automated daily review process, and manual recertification is performed, at a minimum, on a
quarterly basis.
For our customers, Abacus.AI supports built-in login or SAML 2.0 for single sign on with multi
factor authentication. Customers are empowered to create and manage users of their portals and
assign privileges that are appropriate for their accounts and limit access to their data features.
Access attempts are logged for review.
Vulnerability Management
We administer a vulnerability management process that involves periodic third-party scans for
security threats using a combination of commercially available tools, intensive automated and manual
penetration efforts, quality assurance processes, software security reviews and external audits.
Once a vulnerability requiring remediation has been identified, it is logged, prioritized according
to severity, and assigned an owner. The owner then tracks the issue and follows up until they can
verify that the issue has been remediated. Abacus.AI also offers bug bounties for disclosed
vulnerabilities from external parties.
Malware prevention
An effective malware attack can lead to account compromise, data theft, and possibly additional
access to a network. Abacus.AI takes these threats to its networks and its customers very seriously
and uses a variety of methods to prevent, detect and eradicate malware. We leverage Anti Malware
solutions on all corporate laptops and servers. Employees are mandated to use Google’s Safe Browsing
in Chrome to prevent malware from being installed through infected websites.
Monitoring and Alerting
Abacus.AI invests heavily in the automation of monitoring, alerting and response capabilities so
that potential issues are continually addressed—in addition to our complete automation of our build
procedures. Engineers and administrators are alerted to anomaly occurrences—particularly application
attacks, error rates, and abuse scenarios. Automatic responses and alerts to appropriate teams are
triggered by these and other anomalies so that investigation and correction can occur. The
occurrence of malicious or unexpected activities causes automated systems to bring in the right
people to ensure issues are rapidly addressed. There are also numerous automated triggers designed
into systems so that unforeseen situations can be detected and will be immediately addressed.
Functions, traffic blocking, process termination and quarantine are activated at predefined
thresholds so that protection of the Abacus.AI platform against a broad variety of undesirable
situations is assured.
Data Center Security
Abacus.AI primarily uses Amazon Web Service (AWS) along with Microsoft Azure, Google Cloud Platform
(GCP) in the USA region for our cloud infrastructure, giving flexibility for our customers to choose
a provider and region of their choice. We do not move customer data between regions - meaning a
customer selecting a region in the USA will have their data stored and processed in the USA.
The physical security of the AWS, and all other, data centers features a layered security model,
including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers,
perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam
intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior
cameras that can detect and track intruders. Access logs, activity records, and camera footage are
available in case an incident occurs. Data centers are also routinely patrolled by experienced
security guards who have undergone rigorous background checks and training. All hardware is tracked
and disposed of in a secured manner. To keep things running 24/7 and ensure uninterrupted services,
data centers feature redundant power systems and environmental controls.
Encrypting data in transit and at rest
Abacus.AI customer data, and our own data, is encrypted when it’s on a disk using AES-256bit
encryption. Data in transit over the Internet, or traveling between data centers is encrypted using
TLS 1.2 or higher. Only standardized encryption protocols and algorithms are used. Passwords are
stored securely using a one way hash.
Abacus.AI uses AWS KMS for encryption key management. Rotation of keys depends upon the sensitivity
of encrypted data. In general, TLS certificates undergo annual renewal. At this time, Abacus.AI is
unable to use customer-supplied encryption keys.
Recovery and highly available solution
Abacus.AI designs the components of our platform to be highly redundant. Customer data is replicated
synchronously in real time over multiple geographically distributed data centers to minimize the
effects of regional disruptions such as natural disasters and local outages. In the event of
hardware, software, or network failure, automatic failover allows our customers to continue working
in most cases without interruption. Our highly redundant design has allowed us to achieve an uptime
of 99.95% for our service with no scheduled downtime. Simply put, when Abacus.AI needs to service or
upgrade our platform, users do not experience downtime or maintenance windows. Our production
servers are hardened with stripped-down and hardened operating systems. Server resources are
dynamically allocated, allowing for flexibility in growth and the ability to adapt quickly and
efficiently, adding or reallocating resources based on customer demand.
Additionally, backup strategies are in place and run on a regular basis using established
frequencies and schedules. Seven days worth of backups are kept for any database, in a way that
ensures restoration can be easily performed. Backups are encrypted and monitored so that successful
execution is assured. In the event of any exceptions, alerts are generated. Any failure alerts are
escalated, investigated and resolved. Data is backed up daily to its local region. Periodic testing
is carried out for successful recoverability.
Data
Security
Data segregation
Customer data is logically separated using an unique key in our databases preventing data
commingling. If customers prefer more stringent separation we can also set up isolated databases. We
maintain separate production, staging and development environments and no production data is used in
lower environments.
Employee access to customer data
No customer data persists on employee laptops. We apply the principle of least privilege in all
operations to ensure confidentiality and integrity of customer data. All access to systems and
customer data within the production network is limited to those employees with a specific business
need. A best effort is made to troubleshoot issues without accessing customer data; however, if such
access is necessary, such access is enabled through a Just-In-Time Access (JITA) model in which
access to privileged functions is requested for limited durations. All JITA requests are logged, and
logs are consistently monitored for anomalous requests. When the JITA session limit is reached,
account access expires and is automatically revoked. Upon termination of work at Abacus.AI, all
access to Abacus.AI systems is immediately revoked.
Audit trails
All actions taken to make changes to the infrastructure or to access customer data for specific
business needs are logged for auditing purposes. In order to protect end user privacy and security,
only a small number of senior engineers on the infrastructure team have direct access to production
servers and databases.
Employee authentication
Every Abacus.AI employee is provided with a secure password manager account and is required to use
it to generate, store, and enter unique and complex passwords. The use of a password manager helps
avoid password reuse, phishing, and other behaviors that reduce security. All access to the
production servers and data is protected using network isolation and strong authentication
mechanisms. A combination of strong passwords, passphrase-protected SSH keys, a Virtual Private
Network (VPN), and two-factor authentication is used to shield mission critical systems.
Data Retention and Destruction
Data retention policies are in place to make sure we retain data only up to 30 days after
cancellation or termination of service. Thereafter, data will be securely deleted. Customers also
can request data deletions and we can process requests on the same day.
Application
Security
Secure Software Development Lifecycle
Standard best practices are used throughout our software development cycle from design to
implementation, testing, and deployment. All code is checked into a permanent version-controlled
repository. Code changes are always subject to peer review and continuous integration testing to
screen for potential security issues. All changes released into production are logged and archived,
and alerts are sent to the engineering team automatically. Access to Abacus.AI source code
repositories requires strong credentials and two-factor authentication.
Secure by design
All features are reviewed by a team of senior engineers as soon as they are conceived. Members of
the Abacus.AI team have substantial experience working with, and building secure technology systems.
We believe in secure by design, hence we plan all functionalities with security in mind to protect
the platform against security threats and privacy abuses. We leverage modern browser protections,
such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting
(XSS), Clickjacking and other code injection attacks resulting from the execution of malicious
content in the trusted web page context.
Security testing
Once features are implemented, we perform internal security testing to verify correctness and
resilience against attacks. We follow the leading Open Web Application Security Project (OWASP)
Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly
prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies
to independently verify our applications.
Release Management
A rapidly advancing feature set is one of Abacus.AI’s greatest advantages. Our products are
constantly optimized through a delivery approach to software development that is modern and
continuous. Thousands of times daily, new code is proposed, approved, merged and deployed. Seamless
updates are featured by Abacus.AI, and because it is an SaaS application, no downtime is associated
with releases. Web messages and/or product update posts are used to communicate major feature
changes.
Network
Security
-
Web Application Firewall (WAF) is in place allowing only explicitly authorized ingress
traffic.
-
Intrusion Prevention System (IPS) is in place to detect and block anomalous traffic patterns
including DDOS attacks.
Third Party
Vendor Management
We rely on several third-party vendors to deliver our service. Prior to onboarding third-party
suppliers, Abacus.AI conducts an assessment of the security and privacy practices of third-party
suppliers to ensure they provide a level of security and privacy appropriate to their access to data
and the scope of the services they are engaged to provide. Once Abacus.AI has assessed the risks
presented by the third-party supplier, the supplier is required to enter into appropriate security,
confidentiality, and privacy contract terms. A list of sub-processes is all maintained within our
data processing agreement (DPA).
Regulatory
Compliance & Privacy
Abacus.AI customers have varying regulatory compliance needs. Our clients operate across regulated
industries. Our ISC team continuously monitors and responds to changes.
Abacus.AI is fully compliant with GDPR and CCPA.
Customer data privacy is a primary consideration at Abacus.AI. As discussed on our privacy policy,
personal data is never sold to third parties. Protections described in this document, as well as
other designed and implemented protections, ensure that data remains unaltered and private. Customer
needs and privacy considerations guide the design and building of Abacus.AI products. Best
practices, the needs of our customers and their contacts, as well as regulatory requirements, are
incorporated into our privacy program
Certifications
For further inquiries regarding our security policy, please contact us at security@abacus.ai
or at our mailing address:
Abacus.AI
201 Mission Street
Suite 2240
San Francisco CA 94105
Submit Compliance Request
Forecasting and Planning
Anomaly Detection
Language AI
Personalization AI
Marketing and Sales AI
Foundation Models
Vision AI
Fraud and Security