Ascend Developer Hub

Security

Securing your Data Services (Members, Teams, Permissions & Service Account Keys)

Ascend high-level architecture

Ascend is a SaaS offering that runs in a native cloud environment (AWS, Azure, and GCP) as a private and isolated (single-tenant) deployment. It's a microservices architecture built on Kubernetes & Apache Spark composed of multiple cloud-hosted Kubernetes clusters designed for on-demand processing at near-limitless scale. This is not a multi-tenant architecture and data is not shared between tenant environments.

Summary of Security Features

Ascend provides industry-leading features that ensure the highest levels of security for your account and data, as well as all the data you store in Ascend.

The following provides a high-level summary of the features, grouped into the following categories:

Data and User Security

  • Data-at-rest encrypted using AES 256 (FIPS 140-2)
  • OAuth for application authentication (Okta, G Suite, AAD)
  • Cloud provider KMS (AWS, Azure, GCP)
  • Application RBAC

Network and Site Access

  • All network connections secured with TLS 1.2+
  • Intrusion Detection (Falco)
  • Service-based Certs & ACLs
  • Private connections via:
    • VPN using IPSEC (Enterprise-only)
    • VPC Peering (Enterprise-Only; by request)

Compliance and Validations

  • Continuous docker image vulnerability scanning
  • Annual 3rd Party Penetration Tests & Audit
  • HIPAA compliant
  • Soc 2 Type I Compliance

Across all editions, Ascend provides a secure environment for customer data, protecting it in transit and at rest. All customer data is encrypted by default using the latest security standards and best practices, and validated by compliance with industry-standard security protocols.

The architectural diagram shown below is a production Ascend customer environment running inside a dedicated and private Virtual Private Cloud (VPC). Incoming traffic from customer VPCs is routed through an Elastic Load Balancer (ELB) to the Ascend VPC.

The architectural diagram shown here is a production Ascend customer environment running inside a dedicated and private Virtual Private Cloud (VPC) with the On-premises Secure Access VPN option. It allows on-premises data sources to be securely accessed by the Ascend environment. This is a premium level feature, which requires the ENTERPRISE subscription tier.

If you’re handling sensitive information or are bound by regulatory requirements, you can choose to deploy Ascend on your own cloud VPC. Ascend will manage its servers (for code deployments, triage, security patches, and maintenance) in your VPC but won't have access to your data.

3rd party security assessments

Ascend has completed and submitted 3rd party pen tests. These are submitted annually via the NCC group.

Incident management process

Senior Management maintains and communicates incident and breach response policies to Company personnel. Employees are trained during the initial on-boarding process about the procedures for identifying and reporting incidents. Internal monitoring tools are configured to notify and alert the Engineering team of security and availability events that require investigation and/or resolution.

Notifications and alerts come from various channels that include customer support, automated security scans, monitoring, and logging tools. In order to ensure that incident response is consistent and proper, incident response procedures are documented internally accessible within Ascend as a reference guide. Depending on the severity of the incident, communication is established between Senior Management, Engineering, and Security. Ascend performs post-mortems to assess and remediate the root cause of these incidents.

To ensure protection with vendors related to security incidents, data protection agreements are required with applicable vendors and they must inform Ascend of any breach or security incident impacting the Platform or its customers. Ascend customers are notified directly via email of any identified security breaches impacting their systems.

Business Continuity Plan and Disaster Recovery program

Ascend has designed and configured the Platform for regional high availability and redundancy. Client confidential data is backed by the durability guarantees of highly redundant systems such as GCS, S3, and Azure blob store. Regular snapshots of production data are configured to be taken nightly and stored encrypted at-rest using standard AES-256 encryption. Ascend performs restoration tests at least annually to ensure data can be recovered from backups to ensure continuity.

Operations, Engineering and Security teams maintain a disaster recovery plan and exercises it at least annually. Testing is done to ensure that recovery procedures work as intended. Restoration procedures for backups are performed and tested annually.

Ascend deploys a multi-AZ infrastructure for all real-time services, while asynchronous computation services are deployed in a limited availability cluster (optimized for cost, rather than high availability). In the unlikely event that there is a geographic event affecting one datacenter, you will not lose access to interactive services.

3rd party vendor management

Ascend management performs a review of third-party vendors and business associates that will have access to production systems or data to ensure the protection of customer data and Ascend systems. Prior to engaging with a potential vendor, the first step requires that Ascend personnel seeking to engage with a vendor check their references and assess whether the vendor is a fit. The second step is to collect relevant security documentation and certification reports from the vendor and identify areas where their controls do not align with Ascend security and privacy policies. The third step is to perform research to ascertain if the vendor has a history of customer complaints or issues with delivering services such that its reputation is under risk.

Before beginning a third-party relationship, management will assess risk related to the relationship being contemplated. The planning includes, but is not limited to, (1) assessing the extent to which the relationship complements Ascend’s business objectives, philosophy, and long-term goals, (2) comparing the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house (3) assessing expertise to manage and monitor the relationship and (4) determining an exit strategy to plan for the contingency of exiting the relationship if it becomes necessary to change course in the future.

3rd parties providing services

  • Cloud Vendors: AWS, GCP, Azure
  • Monitoring providers: DataDog, Sumo Logic, OpsGenie
    All providers have the same, or greater SOC 2 TYPE 2 certifications. We do support the creation of HIPAA compliant environments and instantiate BAA agreements with providers as necessary to support those environments.

Background checks on employees and contract licensed agents

Background checks are performed before employees join Ascend and cover criminal history, sex offender status, and global watchlist.

Employees in their first week must read and sign Ascend’s Infosec policy and go through HIPAA training. The Infosec policy covers security policies for both digital and physical environments.

Services performed outside the US

No service(s) are currently being performed outside the US.

Access to data from offshore locations

There is no access by Ascend employees or vendors to any data from offshore locations.

Separation of data

The Ascend architecture provides each customer their own deployment in a fully isolated cloud account with no shared resources or access.

Employee and 3rd party service provider/contractor access to data

Similar to other cloud services (e.g. AWS, GCP, Box, Salesforce), certain Ascend employees (no 3rd parties) have access to the customer environment which stores data, which may contain PII/PHI data (if it were uploaded to the system). Access is limited to those necessary to ensure the service is available, up to date, and meeting customer expectations.

Employee access is gated to senior engineering and customer success teams and can only be done via credentials that stored in a password file vault with enforcements.

Level of logging per environment

Logs are retained for 90 or more days for all systems, but log data can be made available upon request if necessary. Additionally, Ascend offers a security suite that includes monitoring, notification, and audit capabilities that allow customers to record all user and system activity in their own independent systems.

Support single sign on

Ascend supports oauth2 SSO providers (including Okta). We also provide a variety of security control measures inside of the product to limit user (ie, your users) access to only appropriate data. This allows you to easily segment data and dataflow access by role or group within your organization while supporting cross-team workflows.

Regular maintenance windows

Ascend is designed for 24/7/365 uptime, and as a result we do not have regular maintenance windows that impact the service.

Uptime service level

Ascend's front-end (UI/API) uptime SLA is 99.9%

We ensure HA at a number of layers in our technology:

  • Ascend runs the control plane components of our systems in multiple availability zones, which are resilient to the loss of any AZ.
  • Ascend data storage uses cloud object stores (S3, GCS, etc) which all provide high data durability (99.999999999% or higher).
  • Our infrastructure runs on Kubernetes (across these AZs) and are resilient to the loss of any (or many) underlying servers.
  • Ascend databases all have hot standbys, in a different AZ, with auto-failover. Additionally, databases take daily snapshots.

Configuration retention period(s)

Ascend by default retains data for 24 hours after it is no longer in use. Active data will continue to be stored as a dataflow dependency. After a relationship termination, Ascend will, by default, delete all data within 7 days. We can accommodate up to 90 days retention of record data (processed result data) by request. In addition we can provide proof of deletion of the the cloud account where the data was held.

Termination of service

If service is terminated, users are able to copy / replicate their data. Data is stored in snappy.parquet files, but users can select other formats such as CSV, TSV, JSON, etc.

Legal hold provisions

Ascend can provide capabilities for access to search data maintained and copy that data. Ascend is a data platform, so all data is accessible by authorized users. If a legal hold is required, we can comply with a legal hold.

Updated 5 months ago

Security


Securing your Data Services (Members, Teams, Permissions & Service Account Keys)

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.