Security Statement

Date Last updated: 29/10/2018

If you observe any security issues and want to report anything to UnderDefense, please, email us to [email protected]

Operational Security


All employees receive a regular information security and privacy training. Employees with access to production data receive an additional training specific to their roles and background checks, which are mandatory for Employees with access to production data or production systems.

Security staff

We have dedicated security staff, including a Chief Security Officer and Certified Information Systems Security Professionals.

Security Assessments

We regularly conduct both internal vulnerability assessments (including architecture reviews by security professionals) and external vulnerability assessments.

IT Security Policies

Detailed internal policies dictate how we handle security and privacy incidents, including detection, response, forensics, and notifications. We incorporate security into our services development processes at all stages. From initial architecture considerations to post-release, security is built into all aspects of our services and development workflow.

Incident response

We maintain a robust incident response program with a well-documented incident response, escalation, and notification plans with trained personnel available on a 24/7 basis to monitor and respond to any alerts or events that may indicate more serious security incidents.

Our response and escalation plans are tested on at least an annual basis and detailed customer post-mortems are made delivered within 3 business days of following any major incidents.

Secure Development Life Cycles – Code and Infrastructure


Guiding security principles and required security training help to ensure UnderDefense technologists make the best security decisions possible. Threat assessments on high-risk features help to identify potential security issues as early in the development lifecycle as possible.

Code vulnerability testing

To prevent and address code-level vulnerabilities, we utilized secure coding patterns and static code analysis tools to identify and prevent security flaws. In addition to static code analysis, we leverage language and framework dependency checks to assess dependencies for known vulnerabilities.

Penetration Testing

Internal and external penetration tests are conducted quarterly by a qualified independent security organization. Any vulnerabilities found are documented and immediately remediated. Post-mortem analysis is performed to identify root cause and implement future controls.

Release management

Prior to release, we validate that the functionality being developed and maintained meets its internal security requirements. Post-release, we utilize independent security service providers to analyze and monitor the product for potential security issues.

Change Control

All new functionality requires extensive testing and peer-code review. Additionally, we provide explicit notice around any changes impacting customer experience or usage and are committed to working with our customers to minimize any negative impact from changes.

Security Architecture

Data encryption

Sensitive data is managed in the UnderDefense. The UnderDefense encryption keys are stored and managed in a logically separate location.


For data in motion, we require Transport Layer Security 1.2 with Authenticated Encryption mode ciphers. Data at rest is protected using the latest Authenticated Encryption with Associated Data AEAD mode symmetric ciphers.

Vulnerability Management and Monitoring

Our first priority is to mitigate risk to your data and our systems. Where reasonable, we work to remediate issues and minimize customer impact and interaction.

Any new incidents or vulnerabilities are immediately escalated to our security team, reviewed for applicability, risk ranked and assigned to be resolved by the appropriate UnderDefense  personnel.

The latest applicable security patches and secure configurations are applied to all operating systems, containers, applications, infrastructure, etc. to mitigate exposure to vulnerabilities. Our environments are scanned regularly using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and misconfigurations of systems and sites.


Capacity Monitoring

We’ve implemented tools to alert us when downtime thresholds have been reached. Additionally, we continuously monitor our availability and uptime by monitoring and evaluating our current processing capacity and usage so that we can best manage capacity demand and meet our availability commitments and system requirements.


We maintain a robust and well-documented recovery plan. We run daily backups of any changes and conduct a full backup on a weekly basis. Backups are replicated across multiple availability zones. Disaster recovery drills are conducted on at least an annual basis.

Risk Management

We conduct annual internal risk assessments to identify, prioritize and reduce or mitigate known risks. High impact risks are remediated immediately upon discovery. The entire assessment process is thoroughly documented and audited annually. Findings and remediation are reviewed, discussed and approved by our internal security team and leadership.