Security Overview
Updated: July 7, 2020Introduction
Abridge been architected, implemented, and is operated with modern security practices in mind.
Vulnerability Reporting
If you have a security vulnerability to report, please email security@abridge.io or send a message through Keybase.
Cloud & Serverless
Abridge is built on Amazon Web Services and takes advantage of AWS's existing security posture. A variety of security controls, including encryption of data at rest and in transit, is deployed to protect Abridge systems and associated data.
Abridge primarily uses the following AWS services:
- CloudFront
- S3
- API Gateway
- Cognito
- Lambda
- SQS
- DynamoDB
Various other AWS services are used for secondary / supporting purposes.
Data Minimisation
Abridge was built with a goal of data minimisation. Only the set of data required to provide service to you is processed & stored. Specifically:
- You provide initial information about yourself and your organization.
- The necessary set of operational data is obtained from your connected provider/s via API calls.
- This operational data is stored by Abridge for 48 hours and then deleted.
- A small set of metadata is retained to support recurring Abridge usage.
Customer Control Over Data Access
When a customer adds a new source to Abridge, they can revoke access at any time.
For AWS sources, you must grant Abridge access via a single AWS IAM role and AWS-managed IAM SecurityAudit policy. The AWS-recommended method for granting access is used, employing an external ID to protect against the confused deputy problem and to ensure only Abridge systems can utilize this role.
Additional sources will be documented here as they are added.
Encryption
Data is encrypted in transit, with access to the Abridge application and supporting APIs via TLS 1.2. Please refer to SSL Labs scan results for the application and API.
Data is encrypted at rest. Encryption capabilities provided by the various AWS services utilized are enabled.
Authentication & Access Control
Authentication is handled by AWS Cognito. Abridge does not store user credentials.
Access control is enforced at multiple levels across the Abridge architecture.
Application Security
The Abridge frontend uses Javascript (specifically, the Svelte framework) and backend uses Python. Modern application security principles and processes have been applied during development.
Abridge gets an A+ grade from Mozilla Observatory and SSL Labs.
The following tools have been used as part of the build/deploy process:
- npm audit, checking for vulnerable Javascript dependencies.
- Safety, checking for vulnerable Python dependencies.
- Bandit, checking for vulnerable Python code.
- Burp Suite, checking for common application vulnerabilities.
Application code is stored in a secured repository.
Infrastructure Configuration
Infrastructure-as-code tooling is used to define Abridge's AWS configuration. Regular execution maintains infrastructure state and flags variations against expected state, should they be introduced.
Infrastructure is managed using Terraform and regularly analyzed using tfsec.
Logging & Monitoring
Logging is enabled at multiple levels across the Abridge architecture, and centralized using AWS CloudWatch Logs.
Monitoring is performed using CloudWatch Logs, CloudTrail, and GuardDuty.
Additional Resources
Questions?
If you have any questions, please email contact@abridge.io.