Security

Keeping our customer data safe and secure is our top priority. Impact takes threats very seriously and works hard to protect our customers and their data. We are committed to comply with the relevant industry standards and best practices.

Infrastructure and Network Security

Physical Access Control

Impact is hosted on Amazon Web Services (AWS), a platform that maintains a rigid security program and has a world-class facility infrastructure. It deploys a comprehensive security architecture:

  • Network security
  • State of the art data centers
  • Access control
  • Network Monitoring and Protection

The data stored in the AWS data centers are housed in nondescript facilities, and have the following characteristics to keep your data as safe as possible:

  • Controlled physical access
  • Fire detection and suppression
  • Power
  • Climate and temperature
  • Management

Impact employees do not have physical access to AWS data centers, servers, network equipment, or storage.

Vulnerability Management

Impact regularly scans all our assets for known vulnerabilities and remediates accordingly

Data segregation

All Customer's data will always be segregated from other Customer's data through application logic and authorization controls.

Data Security and Privacy

Data Encryption

Impact encrypts data at rest, using AWS KMS CMK (Customer Managed Keys). The latter ensures that Amazon Web Services does not have access to the keys, which are managed exclusively by Impact.

Data in transit to and from Impact servers is encrypted with HTTPS Transport Layer Security (TLS) using modern cipher suites.

Off-site backups are encrypted at rest. Server configurations and secrets are stored in a distributed and secure storage. All access to secrets is logged.

Data Privacy

Impact is an invite-only service so profiles (such as your location, credits, etc) are only visible to other members of Impact, who are also verified professionals. We never sell any of our customers data.

Profiles are not public and therefore not searchable via any search engine like Google.

Customers can request removal of their data by emailing help@impact.net

Application Security

Email Security

We may send password reset tokens and information about account usage via email. We never send secrets such as passwords or API keys over email. We avoid spoofing/spam using industry best practices, such as Sender Policy Framework (SPF) DNS records.

Secure Application Development (Application Development Lifecycle)

Impact practices continuous delivery in our software development. All code changes require one or more reviewers and must pass a series of automated tests before they can be merged and deployed. This process ensures the best code quality and response time to bugs or other code issues. Furthermore, Impact performs dependency scanning as well as automated tests that run as part of our development pipelines.

Audit Logs

Impact administrators can see an activity log of actions that have taken place within applications. Actions logged include user invitations, password changed, modifying profiles or making connection requests.

Corporate Security

Security Policies

Impact has a set of internal best practices that all employees must follow. These include:

  • Using Multi-Factor Authentication for remote access
  • Using strong passwords and unlock codes for all devices and private keys
  • Never leaving devices unattended, and setting auto-lock timeout policies
  • Proper physical security best practices in and around office spaces

Incident Management

For all relevant incidents, we will provide our customers with as much information as possible to enable them to communicate on their end where necessary.

Impact performs Root Cause Analysis for the relevant incidents, after which improvements are identified and implemented, in order to ensure the problem won't occur again.