Security and Compliance

You’re safe with PatchSimple

PatchSimple takes security very seriously. We understand we’re asking you to trust us, and we want to make sure you’re comfortable with our internal security practices, so that you know the data you store with us is well-protected and managed.

Compliance

Our production servers are currently hosted inside the Amazon AWS infrastructure. Please refer to their datacenter compliance documents at https://aws.amazon.com/compliance/.

Additionally, we are currently in the process of obtaining third-party certification of our internal systems and processes.

Employment

All employees undergo mandatory security awareness training as well as 7-year criminal and employment background checks prior to employment.

Access Controls

PatchSimple’s production infrastructure is access-controlled using multi-factor authentication. The production accounts use strict IAM roles and only key employees with a verified business need receive administrative access.

Application

PatchSimple’s private PKI is leveraged to create and manage all our certificates and keys, so all agent access can be easily revoked at any time. Server access is limited to key employees with a verified and documented business need, and requires both a private key and a password to be accessed.

The agent communicates with our backend servers using TLS 1.2 over the standard HTTPS port 443. All enabled cipher suites utilize Perfect Forward Secrecy (PFS) for key negotiation and AES-128 or higher encryption. When the agent first starts, it generates its own 2048 bit RSA keypair which is stored locally and never leaves the agent’s host system. The backend then issues the agent a certificate and trust chain to use for subsequent communications. After this setup process, all communication is mutually authenticated. For additional security, we are in the process of adding certificate pinning into the agent.

The PatchSimple agent does not listen on any ports, and thus provides no attack surface for a remote attacker.

Application services are additionally hosted inside containers, further restricting the access that a potentially compromised component can do. These containers are updated automatically with the latest security patches.

Monitoring

PatchSimple utilizes monitoring software to track all user logins and privileged commands, and to alert on any anomalies. PatchSimple (the product) is also used to ensure that all our servers remain fully patched.

Further, all log files are written to central log hosts which are monitored using OSSEC to catch any anomalous issues. This helps prevent log tampering during compromise of any edge host, as well as ensures that logged security issues do not go unnoticed.

Application

Access to the application requires HTTPS using PFS and AES-128 or higher encryption. Passwords are stored using a Bcrypt hash and are never stored in plaintext. The application contains active protections against cross-site-scripting(XSS) and cross-site-request-forgery(CSRF) attacks.

Data Protection

All database disk volumes utilize data-at-rest encryption, to prevent data access by unauthorized parties.