PUBHUB SECURITY OVERVIEW
UPDATED JANUARY 2022
PubHub is committed to maintaining customer trust. The purpose of this Security Overview is to describe the security program for PubHub. This Security Overview describes the minimum security standards that PubHub maintains in order to protect Customer Data from unauthorized use, access, disclosure, theft, or manipulation. As security threats shift and evolve, PubHub continues to update its security program and strategy to help protect Customer Data. PubHub reserves the right to update this Security Overview from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview.
Uptime and Data Availability
We strive for a 99.99% uptime.
PubHub uses and leverages AWS data centers, with a reputation of being highly scalable, secure, and reliable.
Information about AWS audit certifications are available at AWS Security website [https://aws.amazon.com/security](https://aws.amazon.com/security) and AWS Compliance website [https://aws.amazon.com/compliance](https://aws.amazon.com/compliance).
The current location of the AWS data center infrastructure used in providing PubHub Services is located in the United States. Further information about the security provided by AWS is available from the AWS security webpage available at [https://aws.amazon.com/security/](https://aws.amazon.com/security/). In addition, the overview of AWS's security process is available at [https://aws.amazon.com/whitepapers/overview-of-security-processes/](https://aws.amazon.com/whitepapers/overview-of-security-processes/).
PubHub's production environment within AWS, where Customer Data and customer-facing applications sit, is a logically isolated Virtual Private Cloud (VPC). All PubHub's network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. PubHub's access controls ensure the confidentiality and integrity requirements for each Customer are appropriately addressed. These controls are in place so one customer's data cannot be accessed by another customer.
SecurityPubHub carries out background checks on individuals joining PubHub in accordance with applicable local laws. PubHub currently verifies the individual's previous employment, and also carries out reference checks. Where local labor law or statutory regulations permit, and dependent on the role or position of the prospective employee, PubHub may also conduct criminal, credit, immigration, and security checks.
PubHub uses TLS 1.3 to encrypt all data in motion. All of our internal and external API endpoints are HTTPS only.Our data stores are encrypted at rest using the industry-standard AES-256 encryption algorithm. You can see more information [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html) and [here](https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html).
Any access to our infrastructure is protected through strictly managed asymmetric RSA keys. Anyone with access to the AWS console is required to enable 2FA. API keys and passwords expire every 60 days.
AWS data centers that host PubHub are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. More details about the physical security of AWS data centers used by PubHub are available at [https://aws.amazon.com/whitepapers/overview-of-security-processes/](https://aws.amazon.com/whitepapers/overview-of-security-processes/).
PubHub performs regular vulnerability security scans using Tenable (https://www.tenable.com).
If a vulnerability scan identifies vulnerabilities in your business unit, functional department, or you learn new vulnerabilities, you are expected to remediate them.
Security Incident Management
PubHub utilizes AWS platforms and third-party tools to detect, mitigate, and help prevent Distributed Denial of Service attacks (DDoS) attacks. Upon discovery or notification of any Security Incident, PubHub will promptly investigate such Security Incident; to the extent that is permitted by applicable law, promptly notify Customer. Customers will receive notifications via email.
Resilience and Service Continuity
PubHub's infrastructure uses a variety of tools and mechanisms to achieve high availability and resiliency. PubHub's infrastructure spans multiple fault-independent AWS availability zones in geographic regions physically separated from one another. PubHub leverages DataDog to monitor performance, data, and traffic load capacity. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, our monitoring configuration allows us to proactively increase the infrastructure capacity. Any degradation of performance or outages also trigger alerts to our on-call engineers who have the ability to take prompt action to correct the cause(s) behind these issues if auto scaling tools are unable to do so.
Backup and RecoveryPubHub performs regular backups of PubHub account information and data using Amazon cloud storage. Backup data are retained redundantly across availability zones and are encrypted in transit and at rest using 256-bit Advanced Encryption Standard (AES-256) server-side encryption.