Security Policy
Last Modified: January 1, 2024
At Extractly, we recognize that your data is sensitive. This document explains the technology and practices we use to keep your data secure when you use our data extraction and analysis services and our technology platform.
Our commitment to protecting your privacy is set forth in our Privacy Policy, which will prevail in the event of any conflict with this document.
User Account Security
- All user passwords are stored in a salted encrypted format.
- We require all users to use multi-factor authentication (MFA) on their accounts.
- We enforce minimum password complexity requirements.
- We log user activity and perform analysis for suspicious behavior.
Encryption
- We use industry-standard Transport Layer Security (TLS) encryption on all HTTPS connections to our origin server(s), preventing man-in-the-middle attacks, packet sniffing, and more.
- We use full-disk-encryption on all of our servers. In addition, sensitive data files are encrypted-at-rest.
Servers
- We use Amazon Web Services as the infrastructure provider for our server instances and databases.
- Amazon Web Services has achieved ISO 27001 certification and has successfully completed multiple SOC 2 Type II audits.
Server Software, Updates and Patches
- We monitor security announcements for our technology platforms and their dependencies; we install critical security updates as soon as possible after they are released.
- We install non-critical and non-security related software updates on a rolling basis.
- Updates to our databases are managed by Amazon, and they install critical security updates as quickly as possible.
- We continually improve the security of Extractly's systems by utilizing automated vulnerability scanning tools.
Access Controls
- Our servers are Amazon EC2 instances.
- Our servers are kept behind a firewall (configured to deny by default) and only the ports necessary for operation are exposed to the public internet.
- Files are hosted using Amazon's S3 service. Amazon S3 provides highly durable storage infrastructure designed for mission-critical data storage.
- Only Extractly employees and contractors with a legitimate business need have the ability to log into our production servers and databases directly.
- Only Extractly employees and contractors with a legitimate business need have access to customer accounts and data.
- Access is removed immediately if an employee or contractor leaves the company or no longer has a legitimate business need for access.
- We have a data security and retention policy which governs how we handle customer data, ensuring that it is held no longer than necessary to fulfill contracted obligations and comply with any applicable regulations or contracts; and setting forth guidelines for secure deletion.
Payment Information
- All credit card information is stored in a highly-secure, PCI-compliant manner by our payment vendor.
- Our billing processes are also PCI-compliant.
Data Retention and AI Training
- We do not retain uploaded text, image, or audio documents longer than necessary. Once we have performed our service, they are securely deleted.
- When working with 3rd party AI model providers, data is not retained, nor is it used for training purposes.
- We also offer our own AI models hosted on AWS Bedrock, available at an extra cost. In these cases, data is not sent to a 3rd party. For more information about this option, please contact your account manager.
Employee Security
- We conduct thorough background checks on all employees and contractors before they join our team to ensure the highest level of trustworthiness.
- We adhere to the principle of least privilege, granting employees and contractors access only to the systems and data necessary for their specific job functions.
- Access privileges are regularly reviewed and updated to ensure they remain appropriate as roles and responsibilities change over time.
Questions regarding this document should be sent by email to us at security@extractly.xyz.
Extractly is committed to maintaining the security and privacy of your data. We continuously review and update our security practices to ensure the highest level of protection for our users.
