Backstory takes security and data privacy very seriously. We are committed to protecting your data and maintaining confidentiality at all times. Our full Security and Privacy policies are available on our website; however, we've provided a high-level breakdown of our main practices below.
Security
Backstory is committed to your security and trust, and thus, has a robust security infrastructure in place to safeguard your data across our entire suite of services.
Backstory Access to Your Instance
No one at Backstory can access your instance without your approval. Backstory may need access to your instance to reproduce and troubleshoot issues you report, change or test system configurations, or create reports and dashboards on your behalf. If access is required, Backstory will request impersonation access to your instance, which enables logging in as one of the users in your organization to view data and configuration settings.
When Backstory requests access, all approvers in your organization will receive a notification via email. By default, all users with the Admin role in your organization are approvers. If you want to designate only specific users as approvers, you can do so by selecting the “Impersonation Approvers” top-level menu option and adding the specific users to the approvers list.
They can also view a list of all access requests directly in the Backstory application, via the “Impersonation Access” top-level menu.
The request details include a justification for why access is needed, along with the duration for which access is required. If you approve the request, Backstory will be able to access your instance via impersonation for the specified duration. At the end of the duration, the grant will automatically expire, and Backstory will no longer have access to your instance.
You can also revoke access to your instance at any time by choosing the “Deny/Revoke” option for the request. This can be done even if you have already approved the request.
All impersonation events and actions taken by Backstory are logged. To view a log of all impersonation actions taken by Backstory on your instance, please contact your Customer Support Manager.
Administrators in your organization can access your instance through impersonation to troubleshoot issues, support users, or manage configurations on the organization’s behalf. Using the Backstory application, administrators can impersonate users to view data and settings exactly as those users see them.
Customer Protection
The foundation of our security begins with our employees, all of whom undergo thorough background checks and extensive vetting prior to being offered a position on the team.
The Operations and Security teams monitor the platform 24 hours a day, 365 days a year, to ensure it is never compromised.
Customer data is stored in a separate instance in our database and is never shared with external parties.
Infrastructure Security
Backstory’s production, staging, and development environments are hosted by AWS (Amazon Web Services).
Our hosting strategy, utilizing AWS, includes multi-zone protection across multiple locations. In the event of an outage at one of our hosting facilities due to a disaster, we ensure the continued availability of all activity data.
Each AWS data center is monitored 24/7 by security personnel, including those responsible for video surveillance, and physical access is strictly controlled.
AWS data centers are certified to SOC 1, SOC 2, SOC 3, ISO 27001, and ISO 27018 standards by independent third-party examinations.
Application & Network Security
QA and security teams thoroughly test every major release before it is released.
Amazon’s WAF (Web Application Firewall) technology blocks attacks before they even begin.
We use SSL to encrypt all data transferred to and from our servers.
Backstory's database is accessible only to certain Backstory employees who require such access to build or maintain the Backstory product, and multi-factor authentication is required to access Backstory servers.
Distributed Denial of Service (DDoS) mitigation services are in place to protect servers.
For more information on AWS security policies, please visit AWS Cloud Security.
Privacy
At Backstory, we respect your personal privacy and believe in being transparent about how we use your activity data and personal information.
We do not share your email address or the email addresses of your contacts with any external parties. Again, please visit our Privacy page for complete details.
If you have any concerns about the security or privacy of your data, please contact us at support@backstory.ai.