Security OverviewUpdated: April 2, 2019
- Cloud & Serverless
- API Gateway
- Data Minimization
- You provide a small set of information about yourself and your organization.
- The necessary set of operational data is obtained from your connected provider/s via API calls.
- This operational data is stored by Abridge for 48 hours and then deleted.
- A small set of metadata is retained to support recurring Abridge usage.
- Customer Control Over Data Access
- Authentication & Access Control
- Application Security
- Safety, checking for vulnerable Python dependencies.
- Bandit, checking for vulnerable Python code.
- Burp Suite, checking for common application vulnerabilities.
- Infrastructure Configuration
- Logging & Monitoring
- Additional Resources
Abridge been architected, implemented, and is operated with modern security practices in mind.
Abridge is built on Amazon Web Services and takes advantage of AWS's existing security posture. A variety of security controls, including encryption of data at rest and in transit, is deployed to protect Abridge systems and associated data.
Abridge primarily uses the following AWS services:
Various other AWS services are used for secondary / supporting purposes.
Abridge was built with a goal of data minimization. Only the set of data required to provide service to you is processed & stored. Specifically:
When a customer adds a new source to Abridge, they can revoke access at any time.
For AWS sources, you must grant Abridge access via a single AWS IAM role and AWS-managed IAM SecurityAudit policy. The AWS-recommended method for granting access is used, employing an external ID to protect against the confused deputy problem and to ensure only Abridge systems can utilize this role.
Additional sources will be documented here as they are added.
Data is encrypted in transit. Access to the Abridge application and supporting APIs is via TLS 1.2.
Data is encrypted at rest. Encryption capabilities provided by the various AWS services utilized are enabled.
Authentication is handled by AWS Cognito. Abridge does not store user credentials.
Access control is enforced at multiple levels across the Abridge architecture.
The following tools have been used as part of the build/deploy process:
Application code is stored in a secured repository.
Infrastructure-as-code tooling is used to define Abridge's AWS configuration. Regular execution maintains infrastructure state and flags variations, should they be introduced.
Logging is enabled at multiple levels across the Abridge architecture, and centralized using AWS CloudWatch Logs.
Monitoring is performed using CloudWatch Logs, CloudTrail, and GuardDuty.
If you have any questions, please email email@example.com.