Security and Trust
Last Revised: Nov 13, 2024
We appreciate and value our customer's trust - the quality and security of our systems are important aspects of our everyday practices.
Compliance
SOC2 Compliance
Currents achieved SOC2 Type 1 compliance in Nov 2024. We are currently in the middle of an observation period for Type 2 certification. The SOC2 report is an independent third-party examination report that demonstrates how Currents addresses key security principles and criteria. Our SOC2 report is available upon request, please use the link below to request a copy.
CSA STAR Level 1
Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices. Our CSA CAIQ 4.1 self-assessment questionnaire, which is based on the Cloud Controls Matrix and the CSA Code of Conduct for GDPR Compliance, is available for your convenience.
EU Customers
We value your privacy and your rights as a data subject and have therefore appointed Prighter as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit: https://prighter.com/q/15737831043
Product Security
We are committed to using the industry's best practices and controls to ensure that we provide secure and reliable service to our customers.
Authentication
We use AWS Cognito to store and authenticate our Services' users - the credentials are only available to users and are never exposed to our personnel.
Permissions
We enable permission levels within the app to be set for your teammates. Permissions can be set to include app settings, billing, and performing critical activities.
Password and Credential Storage
The credentials and authentication logic are protected by a well-known and established vendor.
Uptime
We have an uptime of 99.8% or higher. Our status page is available at status.currents.dev.
Network and application security
Data Hosting and Storage
Currents services and data are hosted in Amazon Web Services (AWS) facilities (us-east-1) in the USA.
Failover and DR
Currents was built with disaster recovery in mind. All of our infrastructure and data are spread across 2 AWS availability zones and will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.
Back Ups and Monitoring
We do utilize periodic backups of customer data and service metadata to ensure reliable recovery if needed.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Currents is served 100% over https.
We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on GitHub, Google, AWS, and MongoDB to ensure access to 3rd party services is protected.
Encryption
All data sent to or from Currents is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Pentests and Vulnerability Scanning
Currents uses third-party security tools to periodically scan for vulnerabilities on application and network layers.
Vulnerability Disclosure
The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. We encourage security researchers to report any security vulnerabilities they find to us.
Rules of Engagement
Security researchers must not:
- disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below,
- engage in social engineering,
- send unsolicited electronic mail to Currents users, including “phishing” messages,
- execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
- introduce malicious software,
- test in a manner which could degrade the operation of Currents systems; or intentionally impair, disrupt, or disable Currents systems,
- test third-party applications, websites, or services that integrate with or link to or from Currents systems,
- delete, alter, share, retain, or destroy Currents data, or render Currents data inaccessible, or,
- use an exploit to exfiltrate data, establish command line access, establish a - persistent presence on Currents systems, or “pivot” to other HHS systems.
Reporting a Vulnerability
We accept vulnerability reports at security@currents.dev. Reports may be submitted anonymously.
Information submitted will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely Currents, we may share your report with other organizations where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
By sending a report you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Currents systems, and consent to having the contents of the communication and follow-up communications.
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the vulnerability, where it was discovered, and the potential impact of exploitation.
- Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
Disclosure
Currents is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk.
Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.
Have any questions?
If you have any questions (or comments) concerning this document, please send us an email to the following address: support@currents.dev and we will make an effort to reply within a reasonable timeframe.