Security Overview

Updated: April 2, 2019

  1. Introduction
  2. Abridge been architected, implemented, and is operated with modern security practices in mind.

  3. Cloud & Serverless
  4. Abridge is built on Amazon Web Services and takes advantage of AWS's existing security posture. A variety of security controls, including encryption of data at rest and in transit, is deployed to protect Abridge systems and associated data.

    Abridge primarily uses the following AWS services:

    • CloudFront
    • S3
    • API Gateway
    • Cognito
    • Lambda
    • SQS
    • DynamoDB

    Various other AWS services are used for secondary / supporting purposes.

  5. Data Minimization
  6. Abridge was built with a goal of data minimization. Only the set of data required to provide service to you is processed & stored. Specifically:

    • You provide a small set of information about yourself and your organization.
    • The necessary set of operational data is obtained from your connected provider/s via API calls.
    • This operational data is stored by Abridge for 48 hours and then deleted.
    • A small set of metadata is retained to support recurring Abridge usage.

  7. Customer Control Over Data Access
  8. When a customer adds a new source to Abridge, they can revoke access at any time.

    For AWS sources, you must grant Abridge access via a single AWS IAM role and AWS-managed IAM SecurityAudit policy. The AWS-recommended method for granting access is used, employing an external ID to protect against the confused deputy problem and to ensure only Abridge systems can utilize this role.

    Additional sources will be documented here as they are added.

  9. Encryption
  10. Data is encrypted in transit. Access to the Abridge application and supporting APIs is via TLS 1.2.

    Data is encrypted at rest. Encryption capabilities provided by the various AWS services utilized are enabled.

  11. Authentication & Access Control
  12. Authentication is handled by AWS Cognito. Abridge does not store user credentials.

    Access control is enforced at multiple levels across the Abridge architecture.

  13. Application Security
  14. The Abridge frontend uses Javascript (specifically, the Choo framework) and backend uses Python. Modern application security principles and processes have been applied during development.

    The following tools have been used as part of the build/deploy process:

    • npm audit, checking for vulnerable Javascript dependencies.
    • Safety, checking for vulnerable Python dependencies.
    • Bandit, checking for vulnerable Python code.
    • Burp Suite, checking for common application vulnerabilities.

    Application code is stored in a secured repository.

  15. Infrastructure Configuration
  16. Infrastructure-as-code tooling is used to define Abridge's AWS configuration. Regular execution maintains infrastructure state and flags variations, should they be introduced.

  17. Logging & Monitoring
  18. Logging is enabled at multiple levels across the Abridge architecture, and centralized using AWS CloudWatch Logs.

    Monitoring is performed using CloudWatch Logs, CloudTrail, and GuardDuty.

    Questions?

    If you have any questions, please email contact@abridge.io.