Catalytic is current undergoing a SOC 2 Type II audit and has implemented controls to meet the requirements SOC 2 Type II.
To report a security issue, follow our Security and Issue Escalation Policy here.
1. Introduction
This document outlines the basic security practices and information related to the design and operation of our SaaS system. It is intended to provide transparency to our external users regarding the measures in place to ensure the security and reliability of our services.
2. System Design and Operation
Our SaaS platform is designed with security, scalability, and resilience in mind. The system architecture includes the following key components and their boundaries:
- System: Hosted on Heroku, AWS, and Digital Ocean providing a secure and scalable environment for the delivery of web applications.
- Email Communication: Powered by Google Gmail to provide reliable and secure email services.
- Security Monitoring: Leveraging Snyk.io for proactive vulnerability detection and management in our code and dependencies.
3. Security Practices
Our commitment to security is reflected in the following practices:
- Data Encryption:
- All data in transit is encrypted using TLS (Transport Layer Security).
- Sensitive data at rest is encrypted using industry-standard encryption algorithms.
- Access Controls:
- Role-based access control (RBAC) is implemented to ensure that access to systems and data is limited to authorized personnel only.
- Multi-factor authentication (MFA) is required for all internal administrative accounts.
- Vendor Security:
- Heroku: Utilized for its strong platform security, including compliance with SOC 2, ISO 27001, and other certifications.
- Google (Gmail): Used for secure communication, benefiting from Google’s advanced spam filtering and security controls.
- AWS: Leveraged for secure and compliant cloud infrastructure, including encryption and IAM capabilities.
- Digital Ocean (K8s): Used for secure and scalable Kubernetes cluster management.
- Snyk.io: Integrated into our development process for continuous monitoring and remediation of vulnerabilities.
- Monitoring and Incident Response:
- Continuous monitoring of system performance and security using automated tools.
- Incident response plans are in place to quickly identify, mitigate, and resolve any security incidents.
- User Communication:
- Regular updates regarding system operations and security measures are published on our company website.
- Users are promptly informed of any security incidents that may affect their data.
4. User Responsibilities
To ensure the security of our system and services, we encourage users to:
- Use strong, unique passwords and enable multi-factor authentication where possible.
- Report any suspicious activities or potential vulnerabilities to our support team at support@usecatalytic.com.
5. Conclusion
Catalytic is dedicated to providing secure, reliable, and transparent services to our users. By adhering to best practices and leveraging trusted vendors, we strive to maintain the highest standards of security in our operations.
