Security Practices

Infrastructure

Echo is currently hosted at AWS and we utilize a range of available tools to ensure security of our private cloud. Regular security scans are performed using automated tools to ensure limited access and appropriate configuration. We utilize multiple environments to develop and test our code ensuring multi-stage verification before production code is deployed.

External platforms used by our team are selected based on their security posture and multi-factor authentication is always enabled where possible.

Echo follows "airtight" approach to our instances — once launched, our instances do not allow any outside access other than required to perform their functions to ensure maximum security.

Encryption

All data is encrypted both in transit and at rest. Where available, we utilize built-in secure storage capabilities in addition to encrypting your data with keys unique to your workspace.

Data Storage and Retention

Data related to every workspace is logically separated from other workspaces and encrypted using different encryption keys. Workspace data is backed up regularly and such backups are retained for 7 days. By design, Echo offers archiving vs removal capabilities (for example, messages are never removed and can always be restored.) but we offer both policy and security customization options to suit your needs.

We routinely update our database engines as security updates become available.

Data Access

Our team does not have access to any messages or other data related to your workspace. Your data is only accessed by the code at runtime and access to the code is strictly controlled as described further in the "Secure Development Practices" section. Limited information about your workspace (such as size, age, title, etc) and its members (such as name, email) is available to our support personnel.

Secure Development Practices

Team Echo has extensive experience in enterprise security and handling of sensitive data. We follow industry standards in developing our software with security in mind.

• Our approaches are reviewed and adjusted by security specialists.
• Access to code is protected by multi-factor authentication and strict access rules control deployment rights and confirmations. Currently, deploying to the production environment requires individual confirmation and multi-factor authentication.
• We enforce hard drive encryption and biometric access control to computers of employees who have access to the code and limit the number of employees who have code access to the absolute minimum.
• A range of tools are used to scan the code to be deployed for potential vulnerabilities and issues. For major changes security review is performed during design and before deployment.

Third Party Security Audit

We are currently exploring our options around potential audits and certifications. Please reach out to us at hello@eo.chat if your organization requires particular vendor certification.

Customization

We designed our infrastructure, data handling, and privacy policies to accommodate most common scenarios and requirements. Our architecture also allows for customizations of policies if required by your organization. Please keep in mind that such customizations can only narrow down (as in be more strict) than our general approach.

Vulnerabilities

In addition to internal security testing and audit our Vulnerability Disclosure Program invites public testing and disclosure of security flaws.

Questions

If you have any questions about our security practices, please contact us at hello@eo.chat.