Information Security Policy

Physical Security & Disaster Recovery

Clearbit’s services are hosted on Amazon Web Services, which enforces strong physical security practices at its datacenters (details of which can be found in this whitepaper). As described in the whitepaper, this includes, but is not limited to:

  • Nondescript, unmarked facilities
  • Strict physical access controls, including security staff, video surveillance, intrusion detection, and two-factor authentication
  • Logging and regular auditing of all employee access
  • Fire detection and suppression equipment
  • Fully redundant power supply, including the use of an Uninterruptible Power System and backup generators
  • Precise climate and temperature controls
  • Continuous monitoring and preventative maintenance of critical infrastructure
  • Storage device decommissioning process using techniques detailed in the NIST 800-88 guidelines

In addition to AWS’s physical security practices, Clearbit also adheres to the following practices with regards to its physical headquarters and offices:

  • Nondescript, unmarked facilities
  • Strict physical access controls, including security staff, video surveillance, and intrusion detection
  • Fire detection and suppression equipment
  • Logging and regular auditing of all employee access using an electronic access control system
  • Visitor access logging

Information and Data Security

  • Clearbit’s information security policy is reviewed with all new employees and available to all employees via Clearbit’s internal wiki
  • Employees are made aware of any information security policy updates and other security-related process updates
  • Clearbit’s network, application(s), and other services are subject to regular penetration testing
  • A private bug bounty and vulnerability coordination service is used to identify vulnerabilities within Clearbit systems
  • Clearbit’s network and AWS instances are continuously monitored for malicious and unauthorized behavior
  • Clearbit’s codebase is continuously and automatically scanned for critical vulnerabilities and other security issues

Device Management

A fleet management system is used to maintain a real-time inventory and manage all company laptops, allowing our team to enforce: * Software updates and patches * Full hard disk encryption * Local firewall enablement * Password strength and re-use policies * Screen lock / idle timeout guidelines * Prevention of app installation from untrusted sources

Network Access

  • Access to internal Clearbit services requires a connection to Clearbit’s VPN
  • All network traffic to Clearbit services is encrypted via TLS
  • Sensitive datastores are protected using Amazon’s Virtual Private Cloud service, which restricts ingress and egress to known subnets
  • Access to production systems and other sensitive services is restricted to authorized employees only
  • Access rights are regularly audited and revoked the day an employee or contractor separates from Clearbit
  • The minimal level of access to Clearbit’s production systems required for the performance of an employee’s duties is enabled
  • All inbound email is scanned for viruses and other malware

Accounts and Passwords

  • Employees are required to use a password manager for all internal and third-party user accounts and are encouraged to use strong, frequently changed, random, non-shared passwords
  • Passwords to Clearbit user accounts are salted and hashed using industry standard encryption algorithms before storage
  • Clearbit user sessions expire after a period of inactivity

Certifications

Amazon Web Services maintains certifications and is audited regularly to maintain SOC 2 and ISO 27001 compliance, as well as other programs (see the full list here: https://aws.amazon.com/compliance). In addition, Clearbit’s credit card payment provider (Stripe) has been independently certified to PCI Service Provider Level 1 compliance and Clearbit’s use of Stripe addresses Clearbit’s PCI compliance obligations under SAQ A. No sensitive credit card data is stored on Clearbit’s services.