writefastly represents the future of writing, and we are committed to offering a highly available and secure environment for content creation. This document highlights our security practices to provide insight into how we ensure security by design.
Safeguarding Customer Data
writefastly Security team is responsible for implementing and managing our security program. The primary focus of writefastly security program is to prevent unauthorized access, use, and disclosure of customer data. Our security program aligns with AICPA Trust Services Principles and continually evolves in accordance with industry best practices.
Independent Confirmation
Customers may request copies of external reports by contact us.
Security Compliance
writefastly constantly monitors and enhances the design and effectiveness of our security controls. We collaborate with a reputable third party for their independent assessment of our efforts. All internal and external audit findings are shared with executive management.
Penetration Testing
writefastly engages an independent third party to conduct annual network and application penetration tests. Identified findings are tracked to resolution, and results reports are shared with executive management.
writefastly Responsibility
Access Control
In provisioning access, IT adheres to the principles of least privilege and role-based access control, meaning employees are only authorized the access and permissions necessary to fulfill their job responsibilities. User access reviews, including production access, are performed semi-annually. Access to the production infrastructure and supporting systems requires Multi-Factor Authentication (MFA).
Employee access is revoked within two business days of an employee's termination. Incases of involuntary termination, access is revoked immediately.
Cloud Hosting
writefastly uses Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure as its cloud hosting providers. writefastly corporate offices do not host any data closets or servers; all data is stored in the US-East-2 region. writefastly employs serverless instances across AWS, GCP and Azure to ensure high availability of all services. Kubernetes node components are hardened and have a base configuration image applied.
Data Retention
writefastly retains data for the duration of the customer's use of the application. Customer data is removed upon request for user account deletion or upon customer contract termination. writefastly hosting providers, AWS, GCP and Azure, are responsible for ensuring proper sanitization of disks and physical media.
Encryption
writefastly encrypts all customer data at rest and in transit using robust encryption methods. All data is transmitted via HTTPS using TLS1.2+ with AES256 encryption and SHA2 signatures, defaulting to TLS1.3 based on client capability. Data at rest is encrypted at the storage level using AES256. Database connections are verified usingTLS certificates and encrypted in transit using SSL.
Encryption keys are managed by and stored securely within AWS, GCP and Azure. Access to encryption keys is restricted to limited, authorized personnel and requires MFA. All key usage is logged and monitored for anomalous activity.
Endpoints
Employees are provided with company-managed workstations. These workstations are configured with disk encryption, anti-malware, and idle lockout. IT monitors employee workstations to ensure compliance with corporate policy and up-to-date patches.
Logging
Centralized logging is enabled for all production systems. Logs are reviewed for indications of compromise and alerted upon. The Security team is responsible for monitoring alert thresholds, tracking security events to resolution following the incident response plan.
Network
writefastly firewalls are configured to deny all incoming traffic by default. Firewall rules are reviewed at least annually. Alerts generated by the Intrusion Detection System (IDS) are sent to on-call personnel for investigation and triage. writefastly also utilizes a WebApplication Firewall (WAF) and Content Delivery Network (CDN) to protect against common web application vulnerabilities, such as Distributed Denial of Service (DDoS) attacks, and provide faster access to the application.
Personnel
The security of the writefastly environment is the responsibility of all writefastly employees, contractors, and temporary workers who have access to writefastly information systems. All employees must have a completed background check on file before starting, in addition to signing confidentiality agreements.
All employees are required to complete security awareness training upon hire and annually thereafter. The training curriculum includes phishing awareness, remote workbest practices, device security, and incident reporting. In addition to completing training, employees are required to review the employee handbook and code of conduct policy. Violations of any corporate policies may result in disciplinary measures up to and including termination.
Secure Development
writefastly has built a secure software development lifecycle (SDLC) that includes requirements like peer code review. All code is managed in a version control repository, with branch protections in place. Access to source code requires MFA. Security at writefastly, Inc. 4Non-standard code changes go through a change management process covering emergency changes and hot fixes. The agile process allows engineers to follow their own release cycles, deploying continuous improvements to the writefastly application.
Third Parties
writefastly partners with limited third parties to provide key services. These third parties, also known as subprocessors, are continuously monitored to ensure their security programs continue to meet writefastly standards. writefastly reassesses its subprocessors annually, including a review of their independent audit reports and penetration test reports. The full list of our subprocessors :
A sub-processor refers to a third-party data processor, including entities within writefastly, that has access to or processes Customer Content containing personal information. writefastly employs sub-processors to assist in providing the writefastly Services as outlined in the Master Subscription and Professional Services Agreement ("MSA"). Defined terms used herein carry the same meaning as defined in the MSA.
Due Diligence
writefastly assesses the security, privacy, and confidentiality practices of potential sub- processors that might access or process Customer Content. writefastly enters into Data Protection Agreements with each sub-processor. writefastly periodically updates the list of sub-processors used, providing notice of new sub-processors via this advisory.
Contractual Safeguards
The information in this advisory does not grant Customers any additional rights or remedies, nor should it be interpreted as a binding agreement. This advisory merely illustrates writefastly engagement process for sub-processors and provides an up-to- date list of third-party sub-processors utilized by writefastly as of the advisory’s date (which writefastly may use in delivering and supporting its Services).
If you are a writefastly customer and wish to enter into our Data Processing Agreement (DPA), please email us .
Entity Name | Function | Entity Country |
Chargebee | Billing | US |
Churnkey | Billing | US |
Paypal | Billing | US |
Stripe | Billing | US |
Hubspot | CRM | US |
Google Workspace | US | |
Postmark | US | |
SendGrid | US | |
FingerprintJS | Fraud Prevention | US |
Amazon Web Services | Infrastructure | US |
Cloudflare | Infrastructure | US |
Google Cloud | Infrastructure | US |
Microsoft Azure | Infrastructure | US |
Porter | Infrastructure | US |
Vercel | Infrastructure | US |
Slack | Internal Communication | US |
Datadog | Logging | US |
Mezmo | Logging | US |
Sentry | Logging | US |
Clearbit | Marketing & Analytics | US |
Google Analytics | Marketing & Analytics | US |
Mixpanel | Marketing & Analytics | US |
Sprinto | Privacy | US |
Calendly | Scheduling | US |
Help Scout | Support | US |
Linear | Support | US |
Retool | Support | US |
Userback | Support | US |
Vulnerability Management
Vulnerability scans are performed daily for in-scope systems. Identified vulnerabilities are remediated in accordance with severity.
Your Responsibility
Although writefastly is responsible for most security controls, our customers are responsible for securing their user accounts. This includes creating strong passwords if using Google for authentication, provisioning user accounts and permissions, and disabling accounts as needed.
Additionally, customers are responsible for determining the appropriateness of the data entered into the application. By default, writefastly handles limited customer Personally Identifiable Information (PII) (name and email). The sensitivity of the data that customers input to generate content is ultimately their responsibility. Customers should be aware that writefastly is not PCI or HIPAA compliant and should refrain from providing cardholder information and protected health information.
Conclusion
Securing and maintaining the privacy of customer information is essential to our company's mission. The success of our customers lies at the core of what we do. We hope this insight into our security program helps build and maintain your trust in writefastly.