Enterprise Security and Privacy at AirMason

Vanta Logo

AirMason Inc. successfully receives SOC 2 Type II attestation report

September 30th, 2024

We’re pleased to announce the completion of Airmason’s 2024 SOC 2 Type II audit. The SOC 2 Type II Audit is a comprehensive 3rd party objective audit that addresses security, availability, processing integrity, confidentiality, privacy, as well as strict internal controls.

Audit Criteria: What HR Leaders Need to Know

SOC 2 (Service Organization Control 2) is an auditing procedure that ensures service providers securely manage data. For HR professionals, it's crucial in safeguarding employee information. The audit covers five key areas:

  1. Security: Protecting HR systems and employee data from unauthorized access.
  2. Availability: Ensuring the AirMason platform is accessible when needed.
  3. Processing Integrity: Guaranteeing HR data processing is accurate and timely.
  4. Confidentiality: Safeguarding sensitive information at all times, and limiting access.
  5. Privacy: Handling personal employee information responsibly and having best-in-class encryption.

Airmason has been granted certifications without exceptions by an independent auditor, validating our robust, company-wide security and compliance measures. This unqualified approval reinforces our commitment to comprehensive safeguards and our status as a trusted partner.

Data Protection

Data at rest
Data at rest
All datastores with customer data, in addition to Google buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption with Google MySQL Cloud.
This means the data is encrypted even before it hits the Google Cloud Database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
Data in transit
Data in transit
AirMason uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by GCP and deployed via Application Load Balancers.
Data compliance
Data compliance
Please view our in-depth Data Processing Addendum to learn more about how protect your data. Customers can also request a call directly with our engineering team through email at [email protected].
Data at rest
Data at rest
All datastores with customer data, in addition to Google buckets, are encrypted at rest. Sensitive collections and tables also use row-level encryption with Google MySQL Cloud.
This means the data is encrypted even before it hits the Google Cloud Database so that neither physical access, nor logical access to the database, is enough to read the most sensitive information.
Data in transit
Data in transit
AirMason uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by GCP and deployed via Application Load Balancers.
Data compliance
Data compliance
Please view our in-depth Data Processing Addendum to learn more about how protect your data. Customers can also request a call directly with our engineering team through email at [email protected].

Security

Security Education
Security Education
AirMason provides comprehensive security training to all employees upon onboarding and annually through educational modules within its security partner, Vanta.
In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.
AirMason's engineering team shares regular threat briefings, phishing attempt examples with employees to inform them of important security and safety-related updates that require special attention or action.
Identity & Access Management
Identity & Access Management
AirMason uses Google Workspaces to secure our identity and access management.
We enforce the use of phishing-resistant authentication factors, using WebAuthn exclusively wherever possible.
AirMason employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Security Education
Security Education
AirMason provides comprehensive security training to all employees upon onboarding and annually through educational modules within its security partner, Vanta.
In addition, all new employees attend a mandatory live onboarding session centered around key security principles. All new engineers also attend a mandatory live onboarding session focused on secure coding principles and practices.
AirMason's engineering team shares regular threat briefings, phishing attempt examples with employees to inform them of important security and safety-related updates that require special attention or action.
Identity & Access Management
Identity & Access Management
AirMason uses Google Workspaces to secure our identity and access management.
We enforce the use of phishing-resistant authentication factors, using WebAuthn exclusively wherever possible.
AirMason employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.

Continuous Monitoring

Please visit our Status page that actively monitors all our applications on the network

Online
AirMason Marketing Website
Online
AirMason API Server
Online
AirMason Admin Dashboard
Online
AirMason Handbook Editor
Online
AirMason Handbook Viewer
Go to AirMason Status pagearrow

Product Security

Penetration Testing
Penetration Testing
AirMason engages with 3rd party penetration testing consulting firms in the industry at least annually.
Our current preferred penetration testing partner is Packet Labs.
All areas of the AirMason product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available to all our enterprise clients upon request.
Vulnerability Scanning
Vulnerability Scanning
AirMason requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC).
• We do both human as well as AI (Momentic) testing of code during pull requests and on an ongoing basis.
• Malicious dependency scanning to prevent the introduction of malware into our software supply chain.
• Container Analysis of running applications.
• Network vulnerability scanning on a period basis.
Penetration Testing
Penetration Testing
AirMason engages with 3rd party penetration testing consulting firms in the industry at least annually.
Our current preferred penetration testing partner is Packet Labs.
All areas of the AirMason product and cloud infrastructure are in-scope for these assessments, and source code is fully available to the testers in order to maximize the effectiveness and coverage.
We make summary penetration test reports available to all our enterprise clients upon request.
Vulnerability Scanning
Vulnerability Scanning
AirMason requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC).
• We do both human as well as AI (Momentic) testing of code during pull requests and on an ongoing basis.
• Malicious dependency scanning to prevent the introduction of malware into our software supply chain.
• Container Analysis of running applications.
• Network vulnerability scanning on a period basis.
AIRMASON
HomePricingBlogTerms & ConditionsPrivacy Policy
COMPANY
About UsContact UsHelp CenterAdvocacy & Referral
COMPLIANCE
Security informationData Processing
© 2024 — AirMason. All rights reserved