Skip to main content

Commitments to Security

Last updated May 2023

A Trusted Provider 

Interpres is a trusted service provider for our customers. Our customers trust us with some of their most confidential secrets and we reciprocate that trust by putting security first. We understand we are asking you to trust us, and we want to make sure you are comfortable with our security practices, so that you know your data, users and your exposure risk is well-protected. 

Independent Assessments and Audits 

Interpres environments and products are continuously scanned for vulnerabilities. We conduct penetration tests regularly. The results of these scans and tests are integrated into our development workflow to be addressed based on criticality, and our vulnerability management policy. 

Interpres has targeted a SOC 2 Type 1 examination for Security, Integrity, and Availability for the SaaS platform. and SOC 2 type 2 later this year. You can request to view the results of this examination by emailing [email protected]. Signing a nondisclosure agreement is required to receive access to the full report. 

Secure by Design Development 

Interpres uses static (SAST) and dynamic analysis tools (DAST) to improve the security of our development process in the build pipeline. We also evaluate source code, dependencies and combine this with analysis of exploitability trends and simple versioning as a function of our SSDLC. We institute change controls across our production environments and security controls as best practice to continuously improve our capability-maturity model. 

Vulnerability Disclosure 

Interpres maintains a Vulnerability Disclosure Program to enable security researchers to securely report vulnerabilities they may have found, and to provide rapid response to vulnerabilities in our products or services. 

Transmission Encryption 

As a cloud-based service, Interpres securely transmits data over public networks using industry best practices encryption. This includes data transmitted between Interpres services, deployed infrastructure, and our public endpoints. Across our broad service architecture, support least privilege, workload separation and data segregation. For all our web services, we support the latest recommended secure cipher suites to encrypt all traffic in transit, using TLS 1.2 and above.  

At-rest Encryption 

All disk volumes are safeguarded with LUKS encryption to prevent data access by unauthorized parties, and all applications that contain sensitive data are additionally protected with encryption using industry best practices ciphers and key lengths for all data at rest. Interpres databases and backups are also encrypted. 

Access Controls 

Users are access controlled with multi-factor authentication and use strict roles-based access controls management supporting key the principles of separation of duties, least privilege and audit. For all our authentication mechanisms, we support multi-factor authentication, as well as delegated authentication for our customers. 

Data Protection 

Please contact Interpres Security through our Data Privacy Officer at [email protected].  if you would like us to forget/delete your data. Note that we have a process to verify the authenticity of the administrator requesting the data deletion, so we cannot delete data from requests by automated services like Deseat.me. If you are a data subject and not an organization administrator, please contact them before submitting a request.  

Resiliency 

Intepres follows industry best practices to ensure that our environment is highly distributed and resilient. Our infrastructure is highly available across cloud availability zones and covers multiple geographic regions. Each of our services are designed to be highly available, with a philosophy of degradation before disruption. Our production services are replicated among these different regions to protect the availability of Intepres services in the event of a location-specific disaster event. 

Employment 

All Intepres employees undergo background checks and are required to undergo mandatory security awareness training security awareness training upon hire, and annually thereafter.