Security & Compliance
When it comes to your application and your data, Xervo makes security the top priority. Every layer of the platform from the data storage to network traffic is examined to make sure you get a secure, untampered environment.
At Xervo we understand that protecting your customer data is paramount. Not only is the technology a secure haven for your application and data, the processes surrounding the operations and management are robust.
No matter if you’re looking to deploy and run HIPAA applications, an online game, or your life’s work, we'll work with you to make sure that we’ve put in place the best solution for security and compliance to meet your application’s needs.
A platform provider like Xervo does not require any formal HIPAA certification. To best suit your needs as a HIPAA compliant application Xervo will provide and sign a Business Associate Agreement (BAA). This is only available with certain hardware configurations.
When supplying a customer with HIPAA compatible infrastructure there are never shared machines at the Xervo platform level. All machines are dedicated towards a single customer.
Reach out to learn more about running HIPAA compliant applications on Xervo.
PCI and FINRA Compliance
Xervo is always looking to expand its compliance certification. If you believe that you have an application that needs additional compliance please contact us and we’ll discuss the process.
Technical Security Measures
Every application and infrastructure environment in Xervo is always built with security in mind. Here are a few of the many measures we take to ensure a secure environment.
Dedicated Private Networks
All application hosts reside in a dedicated private network. The actual setup varies depending on the infrastructure provider (VPC - Virtual Private Cloud on AWS for instance). The only entry point into the private network is the load balancer. Servers within the private network do not have public IPs and are not accessible from the outside world.
Xervo servers all sit behind a network firewall. Security groups are specifically created for each server or set of similar servers. Each group has rules specific for the server’s task. Only the ports needed for correct functionality of the system are opened for communication.
SSH login uses private key authentication on all servers. Access to the private key files are tightly controlled and not available to every Xervo employee. Using private key authentication means Xervo is immune to brute force password attacks. SSH keys are created for each customer individually.
Every server also has SSH abuse protection. If a single endpoint attempts to login too quickly, the endpoint is temporarily banned.
Rate limiting is applied at the load balancing level for both http and https traffic. Requests will be dropped if an endpoint exceeds the configured rate threshold.