security

Our Commitment

Security is critical in everything we do. If you have any questions after reading this, or encounter any issues, please let us know at security@10000ft.com

Product Security

Assign permission groups to teammates within the app. Permissions can be set to control access and visibility of account settings, bill rates, budgets, project data, custom fields, user data or modifying the schedule or running reports.

Single Sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials, also allowing you to enable MFA.

Passwords are stored as secure salted hashes, for improved security.

We maintain uptime of 99.999% or higher. You can check our past 3 months stats at status.10000ft.com/.

Infrastructure Security

10,000ft runs entirely on Amazon Web Services (AWS) and host our services and data in multiple data centers in Oregon (us-west-2).

All data is stored encrypted and managed in Amazon Aurora and adheres to PCI, ISO and SOC compliance.

Our service is fault-tolerant up to the regional level. This means we ensure redundancy across multiple AWS availability zones and will remain available in the event an entire availability zone went down.

We maintain a comprehensive set of disaster and recovery documents, coordinate simulated disasters and educate everyone on our team about the best practices during a disaster.

10,000ft implements a protocol for handling disaster and security events which includes escalation procedures, rapid mitigation, and post-mortem. All employees are informed of our policies.

All of our servers are within a virtual private cloud (VPC) where we follow AWS best practices to prevent unauthorized requests from reaching our internal network.

We monitor all activity in our infrastructure for things such as unusual activity, threats, and pending security patches using AWS services such as GuardDuty, Macie, and Inspector. In addition, we use AWS Security Hub to aggregate security findings into insights to help us continuously improve our cloud security. The 10,000ft security team is alerted anytime new findings are detected.

We take backups daily and store them encrypted in S3. The past 30 days worth of backups are maintained.

Application Security

All application traffic sent to or from 10,000ft is encrypted using 256-bit encryption. We achieve an A+ rating using SSL testing services such as Qualys SSL Labs‘ tests.

We record all activity at the network and application level as audit logs, centralize logs using AWS services such as CloudWatch and Kinesis, and store logs encrypted in S3 for archival.

Yearly we engage third-party security experts to perform detailed penetration tests on the 10,000ft application and infrastructure.

We use Stripe to process all payments. Details about Stripe's security installment and PCI compliance can be found here https://stripe.com/docs/security.

Data Privacy and Access Control

Access to customer data is limited to authorized employees who require it for their job.

10,000ft employs a dedicated security team that can be reached 24/7 all year long to manage Vulnerabilities and Security Incidents.

10,000ft enforces strict identity verification for every person and device trying to access resources on a private network.

10,000ft applications are served 100% over https. We fully support HTTP/2 across all of our services.

10,000ft ensures all direct user PII is kept inside its secure cloud. Therefore we do not send direct user PII to any third-party services, with the exception of basic contact information to provide support.

We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, CodeShip, Microsoft, AWS and 10,000ft to ensure access to cloud services are protected.

Human Resources Security

All employees complete Security and Awareness training annually.

10,000ft maintains comprehensive set of security policies and standard operating procedures that span a range of topics.

10,000ft performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

All employee contracts include a confidentiality agreement.