This page is available in English at this time.

Security

Security is at the forefront of everything we do at Proto, and it’s not just about securing our customers. It’s about securing our platform and our customers’ data on that platform.

Proto aligns with the CIS (Center for Internet Security) guidelines to protect your data from unauthorized access, disclosure, inappropriate use, and loss of access. We also extend our stringent requirements to all of our sub-processors to ensure they meet or exceed our standards.

Proto maintains a dedicated security team which includes not only security specialists, but every member of our company because we know security is only as strong as your weakest link.


Vulnerability Disclosure

If you would like to report a vulnerability, please contact team@proto.cx with a proof of concept, list of tools used, and the output of the tools.

If a security disclosure is received, we will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy.

Compliance and Certification

PCI DSS

Proto ensures that any third parties which may handle payment and card information are appropriately audited by an independent PCI Qualified Security Assessor and certified as a PCI Level 1 Service Provider where required.

GDPR

Proto is compliant with the GDPR. If you have customers who reside in the European Union and use Proto then we recommend that you sign a Data Processing Agreement (DPA) with Proto. This document is a contractual agreement that recognizes Prto as being GDPR compliant and helps your organization maintain GDPR-compliance when it comes to using Proto as a sub-processor. We provide our DPA as a self-serve document here.

In an effort to provide the best security for all our customers when it comes to personal information, Proto treats all data as if it is bound by GDPR regulation.

Any person (including EU residents) wishing to submit a personal data request to Proto may do so by sending an email to team@proto.cx explaining their data request.

PIPEDA

Proto is compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA). For information on the types of personal data Proto stores and how we store it, please see our Privacy Policy.

If you wish to contact our Data Protection Officer (DPO) for any concerns around Personal Data collection or usage, they can be reached at team@proto.cx.

Infrastructure and Network Security

Servers

Proto's infrastructure is hosted on Amazon Web Services (AWS). The AWS data centers are equipped with multiple levels of physical access barriers, that include:

For more information on AWS Security features, you can refer to this whitepaper. Proto employees do not have physical access to AWS data centers, servers, network equipment, or storage.

The location of the AWS servers where we run our infrastructure depends on where your chatbot is deployed.

We are not able to provide the exact physical address of the data centre as Amazon has historically been quite reticent in publishing location information of their facilities for security reasons.

We use a combination of automated and manual inspection to determine if new vulnerabilities are introduced in the software packages on our systems. Our infrastructure team ingests security bulletins and prioritizes remediation according to our internal vulnerability policy.

Logical Access Control

Proto has full control over all its infrastructure on AWS, and only authorized infrastructure team members at Proto have access to configure infrastructure when needed in order to add new functionality or respond to incidents. All access required for control of infrastructure has mandated two-factor (2FA) authentication. The levels of authorization for infrastructure components follow the principle of least privilege.

Penetration Testing

Proto undergoes grey box penetration testing conducted by an independent third-party agency on an annual basis. For grey box penetration testing, Proto will provide the agency with an overview of application architecture and information about system endpoints.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities.

Third-Party Audit

Amazon Web Services undergoes third-party independent audits and can provide verification of compliance controls for its infrastructure. This includes, but is not limited to ISO 270001, SOC 2, and PCI.

Intrusion Detection

It’s important to know when suspicious activity is occurring on Proto's infrastructure. We employ Intrusion Detection Systems (IDS) on each host under our control. This notifies us on common alert channels whenever suspicious activity may occur. Our infrastructure team will check each alert, investigate the activity, and then respond accordingly.

Business Continuity and Disaster Recovery

High Availability

Every part of the Proto software uses appropriately provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. All our deploys are zero-downtime deploys using Kubernetes, and we implement gradual rollout and rollback of services in the case of deployment errors.

Business Continuity

Proto maintains backups of our production databases using the MongoDB Atlas Fully Managed Backup Service. Our backups follow good industry practice for production systems allowing us to restore our customers data in the event of data corruption or loss.

Disaster Recovery

Proto stores all infrastructure as code and as such is able to bring up complete copies of production and staging environments quickly (currently < 24 hours and always improving!).

Data Flow

Data into System

Proto provides an embeddable web window for use on our clients’ websites for users to interact with a client's personal chatbot. This chat window will send data back to Proto's APIs over TLS 1.2 or greater. The chat window assets use a sub resource integrity (SRI) check to ensure that the files fetched from our CDN are cryptographically verified to prevent Man-In-The-Middle attacks.

Data In Transit

Data is sent from end-user messaging channel to the Proto's backend via TLS 1.2. All data is AES-256 encrypted at rest.

Data Exfiltration

Proto maintains intelligent network monitoring at the infrastructure level that limit the surface for data extraction. We scrutinize our preferred partners and integrations to ensure that they comply with necessary security regulations (GDPR, PCI, etc.), before transferring data for processing.

Data Security and Privacy

Data Encryption

All data residing on Proto servers is automatically encrypted at rest using AWS EBS Encryption using Proto's master encryption key stored in AWS Key Management Service. All volumes are encrypted in AWS using the industry-standard AES-256 algorithm.

Proto only ever sends data over TLS 1.2 or greater, and never downgrades connections to insecure early TLS methods like SSLv3 or TLS 1.0.

Data Removal

Data may be retained after termination of service according to specification within our main customer contract. If data is kept after termination of service for machine learning training purposes, Proto will scrub all personally identifiable information (PII) from customer data. This includes, but is not limited to, usernames, emails, phone numbers, and IPs.

PII Scrubbing

Proto currently supports redaction of personal information. If you would like this enabled for your bot, please contact your customer success representative.

Application Security

Two-Factor Authentication

In addition to password login, two-factor authentication (2FA) provides an added layer of security to Proto via a time-based one-time password algorithm (TOTP). We encourage 2FA as an important step towards securing data access from bad actors.

Proto supports 2FA for all user accounts. 2FA can be enabled for a user in the profile section of the Proto AICX platform.

Audit Controls

In the settings page, we include an activity section where admins can view the editing history of their members. This is listed chronologically so you'll have insight into the organization's most recent activity.

Secure Application Development

Proto practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in rapid sequence. A continuous delivery methodology, complemented by pull request reviews, continuous integration (CI), automated security scanning, and automated error tracking, significantly decreases the likelihood of a security issue and improves the mean response time to security vulnerabilities. Internally, Proto enforces at least one authorized reviewer for all code changes, and deployments to our production environment are gated under condition that all code is reviewed.

Corporate Security

Risk Management

Proto uses the CIS Controls Cyber Security Framework to guide and manage our cybersecurity-related risks. The CIS Controls framework was developed by the Center for Internet Security to help private sector organizations assess and improve their ability to prevent, detect, and respond to cyber-attacks.

Proto enforces at least one authorized reviewer for all code changes, and deployments to our production environment are gated under condition that all code is reviewed. All code changes must go through a series of automated security scans before being deployed to production.

Security Policies

Proto maintains internal copies of security documentation, which are updated on an ongoing basis and reviewed annually for gaps:

Background Checks

Proto conducts mandatory reference checks for all employees prior to joining our team.

Security Training

Proto enforces a mandatory security awareness training program for all new and existing Proto team members that must be completed annually. This security training covers the OWASP Top 10 in relevant programming languages that developers use.

Disclosure Policy

In the event of a data breach, Proto defers to GDPR regulations, which maintains that customers shall be notified within 72 hours of a data breach, where feasible.

Proto maintains a live report of operational uptime and issues on our status page. Anyone can subscribe to updates via email from the status page.