Last updated on April 29, 2022
Assembly's SOC 2 Type II compliance is monitored by Vanta
We often get questions from our users about our security practices and what we’re doing to protect their data. And though we don’t want to reveal too much of what we do behind the curtain, we want to lay out some of the most important things we do to protect your data and also what you can do to protect your own data when using Assembly.
We take handling your data very seriously. We classify all data, and our employees are trained on proper handling of your (and our) data. Our employees are granted access to systems that hold your data on a “need-to-know” basis (i.e. if required to perform their job). Employees who have access to systems that hold your data are required to use strong passwords and multi-factor authentication.
We encrypt all communication between you and our applications using industry standard SSL/TLS encryption. Cloud Database provider encrypts all cluster storage and snapshot volumes, securing all cluster data on disk: a concept known as encryption at rest. We hash all passwords and have no way to decrypt them so if you forget your password, resetting it is the only option. We store all your data in ISO 27001 compliant data centers in the United States.
Credit Card Safety
When you purchase a paid subscription with Assembly, we neither store nor transmit your credit card information. We use Stripe, a PCI-DSS Level 1 compliant payment processor to handle all credit card transactions.
We Do The Right Thing
One of our core values is that we do the right thing. We embody this by keeping our technical stack, our application, and our business processes lean and free of unnecessary complexity. We automate as much testing, deployment and backup processes as possible to reduce any human error. All new code is seen by at least two pairs of eyes and evaluated against our secure coding standards. We regularly tear out code that has reached the end of its usefulness to keep our application simple, elegant, and secure.
We Get Stuff Done and Go Beyond
Another of our core values is that we get stuff done and go beyond. All of our employees receive regular security and data handling training to be made aware of common and new security threats and how to mitigate them. Our engineering staff are constantly evaluating and integrating new technologies into our stack and application to create the best possible user experience and to increase security.
We actively monitor security issues and releases of our technical stack and deploy patches as quickly as possible. We utilize multiple types of logging to monitor the live (and past) state of our application to help detect and recover from any security events. We maintain a list of our vendors’ security policies and monitor our vendors for security breaches that could lead back to our application.
We do more
This is not a comprehensive list of the security measures we keep to safeguard your data. If you have any more questions please contact us, we’re glad to answer any and all of your questions.
Use Multi-factor Authentication (or SSO)
Our application allows you and your colleagues to enable multi-factor authentication, which helps prevent unauthorized access. *If you already have a single sign-on at your organization (e.g. Okta, Azure SSO) we can provide integration to most SAML providers, which means you wouldn’t need to remember another password.
Manage Users Automatically
Manually adding and removing users and permissions can often be overlooked and are a common source of unauthorized access to data (i.e. it can be easy to forget to remove an employee from Assembly when they leave your organization). To prevent this, we recommend automatically managing users. Assembly provides integrations with ADP and Slack. Users can alternatively be managed by any IdP that supports the SCIM 2.0 protocol (Okta, Azure, OneLogin, G-Suite).
**Our application keeps security logs of user access (user logins and IPs) and many other events (e.g. changes to groups, changes of reviewers, etc…) which can be audited via audit log requests to firstname.lastname@example.org.
Learn about privacy settings
Reporting security issues
If you believe you’ve found something in Assembly that has security implications, please email them to follow our Responsible Disclosure Policy.
* SSO is included with some plans or can be purchased as an add-on for others.
** Security events are logged for all accounts, but these are only accessible on some plans.