Compliance

Security and compliance is of paramount importance to us. We focus on providing a secure environment that goes above and beyond industry security standards and guidelines. The following is an overview of the steps we take to secure our customers’ most sensitive information.

We appreciate and respect responsible disclosure. Report an issue and we will respond within 24hrs.

Payment Card Industry (PCI) Compliance

Our payment processor is a validated PCI DSS (Level 1) Compliant Service Provider, is on Visa’s Global Compliant Provider List and MasterCard’s SDP List.

https://www.pcisecuritystandards.org

Authentication and Session Management

We require all users to authenticate each time they use eagle.io. Passwords are never stored directly in the database, but are salted and hashed using a slow hash function to increase security. In addition, all communication between our users and us is conducted in a highly secure fashion using the TLS 1.2 Protocol, a 2048 bit RSA key, and the ECDH 256 bit cipher suite.

Two-Factor Authentication (optional)
Two-Factor authentication adds an extra layer of security to your account. This feature is optional, and can be enabled by clicking the Enable Two-Factor Authentication button. Once enabled, you will need to provide a code along with your username and password when logging in.

Data Hosting Facilities

We make exclusive use of ISO27001 compliant data hosting facilities located in Australia.

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

Prohibited Data Storage

We never store our customers credit card numbers, these are handled by our payment processor.

User Data Segregation
All user data is strictly segregated so that no user may ever view, tamper with, or become aware of the data of any other user.
Identity Assurance

We have a SHA256 certificate which assures all users that they are communicating with the genuine eagle.io website at all times.

Reliability
We have high redundancy onsite and offsite. Onsite data is mirrored on individual servers using RAID and is also hot synced between at least 3 redundant servers at all times. Data is also encrypted and backed up off site with an undisclosed third party.
Disaster Recovery
Our offsite backup is geographically separated from all our other data centers, allowing disaster recovery even after a multi-site failure.
Activity Observation
All significant activity by our users or internally by our employees is extensively logged in a tamper-proof fashion. We engage in the practice of extensive internal code reviews of all the software we develop.
Change Control
All changes to production services are first staged and tested to ensure no impact to end users. We maintain multiple service environments, allowing changes to be promoted or reverted seamlessly without downtime.
Penetration Testing
At least quarterly, we conduct automated vulnerability scans. In addition, routine penetration testing is conducted to assess our security against external threats.
Securing Access

Our network has been set up in a secure fashion with minimal access to outside networks. Only VPN access is allowed to our servers from whitelisted IPs. Internally, we use segmented networks so only servers which work together can communicate with each other. We facilitate secured patching and software updates of all our systems, including watching numerous online resources for the latest vulnerabilities. All of our employees undergo training on relevant security matters that pertain to their job.

Additional Certifications

We are continually seeking to enhance our already robust security and compliance framework. We are currently undergoing assessment for inclusion in the Security, Trust and Assurance Registry of the Cloud Security Alliance, which certifies cloud provider trust and assurance.

https://cloudsecurityalliance.org/star/registry

Learn more in our Business Security Whitepaper

This Document was last modified on June 15, 2021.