Customers can rest easy knowing that Fellow employs many security technologies and industry best practices to ensure that our product and systems stay secure. Some highlights of our Security Enablement program include:
SOC 2 Type II Compliance
Intrusion detection systems
Annual 3rd Party Pen Tests
Server uptime monitoring (see status page)
Ongoing Vulnerability Scans
Intrusion Detection Systems
Firewalls + Encryption on our Server Infrastructure
Protection of company personnel equipment (encrypted drives, virus scanners, ...)
SSO and Multi-Factor Authentication:
Fellow currently only supports signing into its product through Google Single Sign-on (SSO) or Office365 Single Sign-on (SSO). Using these authentication methods not only provides the convenience of SSO to users but has the added security benefits of not having to use username/passwords.
If you currently have Multi-factor authentication enabled through your Google or Office365 account, then all the same protection benefits will be shared when you use those credentials to log into Fellow.
User Permissions and Roles in Product:
Fellow allows for the designation of various roles within its product including administrator roles, manager-roles and individual-contributor roles. This permissioning ensures that important information is seen by the appropriate people and that organization-wide functions such as billing, account-wide templates and user management are only accessible by administrators.
Software Development Practices and Security
Fellow has in place secure software development practices outlined in its software development lifecycle documentation. We have in place code reviews with an emphasis on security, automated tests and manual tests that are in place before code is shipped to production. We further have separate environments for development, staging and production and do not use production data in staging/development. We have in place a full continuous integration CI pipeline that ensure that our full suite of tests are run before a production deploy.
Network and Application Security.
Fellow Server Infrastructure:
Fellow hosts its infrastructure on Amazon Web-Services (AWS) in the Canada Central region. AWS has a robust security infrastructure and has multiple security designations in place including SSAE16 and SOC2 certifications. More can be learned about AWS security here: https://aws.amazon.com/security/
Backup of Data
Fellow backs up all data on its system using AWS and maintains backups for a period of 30 days. This allows the team to be able to restore information in the event of a hardware failure. Notifications and monitoring have also been set up in order to ensure that these services continue to run as expected.
Fellow encrypts all communications between its services including communication between our application and end users’ browsers (HTTPS). Furthermore, all data at rest is encrypted using AES 256-bit encryption.
Fellow has an incident response plan in place that is reviewed regularly. This response plan ensures timely detection, mitigation and notification procedures for any incidents in place.
Disaster Recovery & Business Continuity
Fellow has in place a business continuity in addition to a disaster recovery plan in place so that our staff is ready to continue to serve customers even in the most unlikely of events.
Fellow has the ability to use multiple availability zones within the AWS infrastructure in order to spin up new servers in multiple locations in the event of a failure in a particular zone. Furthermore, Fellow has a disaster recovery plan and policy in place that is tested regularly to ensure that our procedure is always up to date
Employee Background Checks
New employees at Fellow must undergo both criminal background checks and reference checks before beginning employment at the company.
Confidentiality and Privacy
All Fellow employees and service providers sign confidentiality and non-disclosure agreements to ensure confidentiality of all information collected on our systems. Furthermore, our customer support personnel will only access customer information for the purpose of troubleshooting upon asking for permission from said customers. Such access is logged and is monitored by internal security personnel.
Fellow takes risk management seriously and has put in place a risk management policy, associated plan and risk mitigation strategies. We ensure that a risk assessment is performed at least annually or when warranted based on changes that necessitate the activity.
Fellow utilizes a centralized endpoint security solution, and ensures that all devices are up to date, clean from malware, and securely encrypted.
Fellow undergoes 3rd party vulnerability scans daily, ensuring that no vulnerabilities exist in our systems. Where such vulnerabilities are identified they are remediated immediately.
Static Code Scans
Fellow uses static code analysis tools for our backend systems and APIs as part of our CI/CD pipeline, ensuring no code is deployed without passing checks for potential vulnerabilities and anti-patterns.
Third Party Penetration Testing
Fellow commissions penetration tests from external security firms at least annually, ensuring that our software remains secure. Any potential vulnerabilities found are remediated in short order.
Access and Identity
Permissions and Authentication
Fellow employees internal security controls to ensure that only those that need access to critical services have access to them. We have strong password security requirements, use company provisioned password managers and enforce two-factor authentication on all critical infrastructure tools within the company. We ensure that encrypted communication using HTTPS/SSH are used where relevant. We further ensure that these access controls are reviewed regularly and our policies on provisioning and de-provisioning remain up to date.
Fellow implements a system to track employee access levels for all systems, and conducts regular access reviews to ensure that access is only provisioned based on the principle of least privilege. Internal and production systems are controlled tightly via Role-based Access Controls (RBAC).
Fellow employs a centralized password management system for all employees, ensuring a high level of password security and account hygiene.
SOC 2 Compliance
To affirm the effectiveness of our security posture, Fellow has been undergoing SOC 2 audits by an AICPA accredited third parties since 2020.
Our latest SOC 2 Type II report covers an observation period ending October 31, 2022, for the criteria of Security and Confidentiality. This report has a validity of 12 months from the end of the observation period. The report can be made available to current and prospective clients with a signed MNDA.
Fellow collects payment information through Stripe. PCI compliance information for stripe can be found here: https://stripe.com/docs/security