About

Allay

Security

Last updated: Feb 1, 2015

We at Allay Inc. (“Allay” or “we“) have followed industry standard security practices throughout the process of building the Allay product. Some of these practices include:

  • End to end encryption of all data transmitted (SSL)
  • Separation of machines housing critical data from machines running front end applications
  • Encryption of documents stored with Allay (S3) with timed expiration of 15 mins.
  • Strict access controls to each data piece (i.e. documents, employees records) defined by both Allay and the client
  • An audit system which records each transaction built into the core of the product
  • Physical restriction to machines is only allowed by authorized vendor, not even Allay employees can physically access them
  • Code deployment which keeps all software up to date with the latest security patches
  • Data is encrypted at rest using industry standard AES-256 encryption algorithm

Allay relies heavily on Amazon Web Services (http://aws.amazon.com) for most of our infrastructure. Other companies which utilize this infrastructure include FDA, Netflix, Adobe, Suncorp, Dow Jones (others can be found here).

We rely on a Software as a Service (SaaS) model. This means we have one centralized location for our application and can keep critical applications up to date with the latest security measures, greatly reducing the amount of time required to deploy security patches (compare to traditional on-premise solutions).

Also, to comply with e-signature laws we must keep signed documents in their original form which cannot be changed by the user.

How to Contact Us

If you have questions about our security policies, please contact us via e-mail at info@allay.io with “SECURITY POLICY” in the subject line.