Effective Date: December 2, 2024

AskHandle Overview

AskHandle is a cloud-based platform that helps organizations of all sizes deploy AI agents globally. It enables businesses to concentrate on training and deploying intelligent AI agents, while AskHandle handles the underlying infrastructure, scaling, and security management.

AskHandle applies security best practices and manages platform security so customers can focus on their business. The platform is designed to protect customers from potential threats by implementing security controls at every level—from physical to application layers. It also isolates customer applications and data and can quickly deploy security updates without any disruption to service or requiring customer intervention.

AskHandle’s Commitment to Trust

Trust is a core principle at AskHandle. Our commitment to customer privacy and building trust guides our daily decisions. Every employee shares in the responsibility of maintaining trust, and we take this duty seriously.

Security Assessments and Compliance

Data Centers

AskHandle’s physical infrastructure is hosted and managed within Amazon’s secure data centers, leveraging Amazon Web Services (AWS) technology. Amazon consistently manages risks and conducts regular assessments to ensure compliance with industry standards. Their data center operations are accredited under:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

PCI

We use Stripe, a PCI-compliant payment processor, to securely encrypt and process credit card payments. Additionally, AskHandle’s infrastructure provider is PCI Level 1 compliant.

Penetration Testing and Vulnerability Assessments

Third-party security testing of the AskHandle application is conducted by independent, reputable security consulting firms. The findings from each assessment are reviewed with the assessors, risk-ranked, and assigned to the relevant team for resolution.

Physical Security

AskHandle relies on ISO 27001 and FISMA-certified data centers managed by Amazon, a company with extensive experience in designing, building, and operating large-scale data centers. This expertise has been applied to the AWS platform and infrastructure.

AWS data centers are in unmarked, secure facilities. Critical sites are protected by substantial setbacks, military-grade perimeter control berms, and other natural boundary defenses. Physical access to these facilities is strictly controlled, with security staff monitoring all perimeter and building entry points. The centers are equipped with video surveillance, advanced intrusion detection systems, and other electronic security measures.

Authorized personnel must undergo two-factor authentication at least three times before accessing data center floors. All visitors and contractors must present identification, sign in, and remain continuously escorted by authorized staff.

Amazon restricts data center access to employees with a legitimate business need. If an employee’s role no longer requires such access, their permissions are promptly revoked, regardless of their continued employment with Amazon or AWS. Additionally, all physical and electronic access to Amazon’s data centers is logged and regularly audited to ensure security.

For additional information see: https://aws.amazon.com/security

Environmental Safeguards

Fire Detection and Suppression

To minimize fire risk, automatic fire detection and suppression systems have been installed throughout the data center. The fire detection system uses smoke sensors in all critical areas, including data center environments, mechanical and electrical spaces, chiller rooms, and generator equipment rooms. These areas are protected by various fire suppression systems, such as wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Power

The data center’s electrical power systems are fully redundant and designed for continuous operation, ensuring no impact to services 24/7. Uninterruptible Power Supply (UPS) units provide backup power for critical and essential systems during electrical failures. Additionally, backup generators supply power to the entire facility, ensuring seamless operation even during extended outages.

Climate and Temperature Control

Maintaining a stable operating temperature is crucial to prevent hardware overheating and reduce the risk of service interruptions. The data centers are equipped with climate control systems that regulate temperature and humidity to optimal levels. Monitoring systems, along with on-site personnel, ensure that the environmental conditions remain within the required range for proper equipment performance.

Management

Data center staff continuously monitor the electrical, mechanical, and life support systems to promptly identify and address any issues. Preventative maintenance is regularly performed to ensure the ongoing reliability and functionality of all equipment.

For additional information see: https://aws.amazon.com/security

Network Security

Firewalls

Firewalls are used to control access both from external networks and between internal systems. By default, all access is denied, and only explicitly permitted ports and protocols are allowed based on business requirements. Each system is assigned to a specific firewall security group, tailored to its function. These security groups restrict access to only the necessary ports and protocols, reducing potential risks.

Host-based firewalls further isolate customer applications by blocking localhost connections over the loopback network interface. Additionally, host-based firewalls can be configured to limit both inbound and outbound connections as needed, adding an extra layer of security.

DDoS Mitigation

Our infrastructure incorporates multiple DDoS mitigation techniques, including TCP SYN cookies and connection rate limiting. Additionally, we maintain multiple backbone connections and internal bandwidth capacity that exceeds the bandwidth provided by our internet carriers. We collaborate closely with our providers to quickly respond to any DDoS events and activate advanced mitigation controls when necessary.

Spoofing and Sniffing Protection

Managed firewalls protect against IP, MAC, and ARP spoofing both on the network and between virtual hosts, ensuring that spoofing attacks are not possible. To prevent packet sniffing, our infrastructure, including the hypervisor, ensures traffic is only delivered to the interface it is addressed to. AskHandle further mitigates risks by employing application isolation, operating system restrictions, and encrypted connections at all levels of the stack.

Port Scanning

Port scanning is strictly prohibited, and any detected instances are promptly investigated by our infrastructure provider. When port scans are identified, they are immediately stopped, and access is blocked to prevent further intrusion attempts.

Data Security

Heroku Postgres

Customer data is stored in separate, access-controlled databases for each application. Each database is secured with a unique username and password, specific to that database and application. For customers with multiple applications and databases, separate databases and accounts are assigned to each application to minimize the risk of unauthorized access between them.

All customer connections to Postgres databases require SSL encryption, ensuring high levels of security and privacy. We strongly encourage customers to enable encrypted database connections when deploying their applications.

Additionally, customers can encrypt stored data within their applications to meet specific data security requirements. They also have the flexibility to implement their own data storage, key management, and retention policies as part of their application development.

AWS S3

Files uploaded as data sources for AI training are securely stored in Amazon Web Services (AWS) S3. AWS S3 protects these files from unauthorized access through encryption and access management features. All objects uploaded to S3 are automatically encrypted, and you can block public access at both the bucket and account levels using S3 Block Public Access. Additionally, S3 complies with various regulatory standards, including PCI-DSS, HIPAA/HITECH, FedRAMP, the EU Data Protection Directive, and FISMA, ensuring alignment with industry requirements. AWS also offers comprehensive auditing capabilities to track access requests to your S3 resources.

Web Messenger

The web messenger is a chat component that can be added to your website to facilitate AI communication with visitors. By default, it is loaded from AWS S3, utilizing the same security features provided by S3.

For added protection, AskHandle offers the option to integrate AWS WAF (Web Application Firewall). AWS WAF strengthens security by allowing you to control access to messenger distributions and block malicious requests before they reach your servers.

Encrypt Data in Transit

We use HTTPS for all applications and SSL for database connections to ensure the security of sensitive data during transmission to and from the applications.

Vulnerability Management

Our vulnerability management process is designed to address risks without requiring customer interaction or causing any impact. AskHandle is alerted to vulnerabilities through a combination of internal and external assessments, system patch monitoring, and third-party mailing lists and services. Each identified vulnerability is reviewed to determine its relevance to AskHandle’s environment, ranked by risk, and assigned to the appropriate team for resolution.

AskHandle Platform Security

We conduct regular penetration tests, vulnerability assessments, and source code reviews to evaluate the security of our applications, architecture, and implementations. Third-party security assessments are performed across all areas of our platform, including testing for OWASP Top 10 web application vulnerabilities and verifying customer application isolation. AskHandle collaborates closely with external security assessors to ensure the platform and applications are secure and follow industry best practices.

Any issues identified within the AskHandle platform are risk-ranked, prioritized, and assigned to the appropriate team for remediation. Our security team reviews each remediation plan to ensure that the issue is resolved effectively and thoroughly.

Backups

Our databases are hosted on Heroku Postgres, which ensures strong data security through its Continuous Protection feature. All components are backed up to secure, access-controlled, and redundant storage.

Every change to your data is logged in write-ahead logs, which are securely stored in high-durability, multi-datacenter storage. In the rare event of hardware failure, these logs can be automatically "replayed" to restore the database to within seconds of its last known state.

The Heroku platform also offers rapid recovery, enabling databases to be restored to their most recent state, system instances to be redeployed from standard templates, and customer applications and data to be quickly recovered.

In addition to standard backup practices, Heroku’s infrastructure is designed to be fault-tolerant and scalable. It automatically replaces failed instances, reducing the need for manual restores and minimizing the risk of data loss.

Disaster Recovery

Customer Applications and Databases

Our platform automatically restores Heroku Postgres databases in the event of an outage. The Heroku platform is built to dynamically deploy applications within the cloud, monitor for failures, and quickly recover any failed platform components, including customer applications and databases.

Heroku Platform

The Heroku platform is designed for stability and scalability, with built-in measures to mitigate common issues that can lead to outages while ensuring reliable recovery capabilities. It maintains redundancy to eliminate single points of failure, can replace failed components automatically, and leverages multiple resilient data centers. In the event of an outage, the platform is deployed across multiple data centers using current system images, and data is restored from backups. Heroku thoroughly reviews platform issues to identify the root cause, assess customer impact, and continuously improve both the platform and its processes.

Customer Data Retention and Destruction

You have the flexibility to purge data from our databases to meet your own data retention requirements. If you close your account and request data removal, we will retain the database storage volume for 30 days. After this period, the data is automatically destroyed and rendered unrecoverable.

The decommissioning of hardware is handled by our infrastructure provider through a process designed to prevent any exposure of customer data. AWS follows established data destruction standards, including those outlined in DoD 5220.22-M ("National Industrial Security Program Operating Manual") and NIST 800-88 ("Guidelines for Media Sanitization"), to ensure complete and secure data destruction.

For additional information see: https://aws.amazon.com/security

Privacy

AskHandle has a published privacy policy that clearly outlines the types of data collected and how it is used. We are committed to ensuring customer privacy and maintaining transparency in our practices.

We take proactive steps to safeguard customer privacy and protect the data stored on our platform. Some of the built-in protections offered by Heroku’s products include authentication, access controls, encrypted data transport, HTTPS support for customer applications, and the option for customers to encrypt their stored data. For more information, please refer to our privacy policy.

GDPR commitment

We are dedicated to supporting our customers’ success, including ensuring compliance with the GDPR.

Compliance with the GDPR is a shared responsibility between AskHandle and our customers in how they use our services. AskHandle commits to fully complying with the GDPR in delivering our services. We are also focused on helping our customers meet their own GDPR compliance obligations. We have thoroughly reviewed the GDPR requirements and are actively making improvements to our products, contracts, and documentation to support full compliance.

WCAG 2.0 commitment

At AskHandle, we are dedicated to making our platform accessible to all users, including those with disabilities. We follow the Web Content Accessibility Guidelines (WCAG 2.0) at both Level A and Level AA to ensure that our web content is perceivable, operable, and understandable for everyone. By adhering to these standards, we aim to create an inclusive experience that meets the diverse needs of our users and ensures equal access to all our digital resources.

Personal Information Protection Law (PIPL) commitment

AskHandle is committed to adhering to the principles set forth in the Personal Information Protection Law (PIPL) of the People’s Republic of China. We prioritize the protection of personal data and ensure full compliance with PIPL regulations. This includes transparent data collection practices, secure processing and storage of personal information, and respecting individuals’ rights to control their data. By following these legal requirements, we aim to protect user privacy and uphold the highest standards of data security.

Access to Customer Data

AskHandle staff does not access or interact with customer data or applications during regular operations. There may be instances where AskHandle is requested to access customer data or applications for support purposes, or when required by law. Access to customer data is strictly controlled, and any interaction by AskHandle staff is authorized by the customer or mandated by the government. All access is documented, including the reason for access, actions taken, and the start and end times of support.

Employee Screening and Policies

As a condition of employment, all AskHandle employees undergo pre-employment background checks and must agree to company policies, including security and acceptable use policies.

Security Team

Our security team is led by the Chief Information Security Officer (CISO) and includes staff dedicated to application and information security. The team collaborates closely with both AskHandle employees and customers to manage risks and uphold our commitment to trust.