Security

LAST UPDATED: 03/07/2022

At Momentum, we take our customers’ data very seriously. Since day one, security and privacy have been “job zero” for us and part of every decision that we make. Momentum is currently SOC-2 Type 2 certified and this has been attested by an external auditing firm. Check out the Compliance section below for more details.

All our infrastructure is hosted using Google Cloud Platform managed services. What this means is that all our applications and platforms follow the best industry standards available in terms of security, reliability, privacy and encryption that Google can provide.

Google Cloud Platform complies with dozens of Security Frameworks and Standards and by only selecting managed services, we ensure that we leave the heavy lifting of managing and securing the underlying infrastructure to GCP.

We integrate with external services such as Salesforce, Slack and Asana but we do so by following their strict API-level authentication requirements and adhering to the permissions that customers grant to Momentum on these platforms, giving you full control over our access.

Below are some of the security features of our platform. If you wish to discuss further or have any questions or concerns, please contact us at security@momentum.io. For our Privacy Policy, please see https://momentum.io/privacy-policy/

Infrastructure

We only use GCP Managed services and we physically and logically isolated them on a private VPC network. Both network traffic and access control is strictly controlled and we follow a “Zero Trust” model. An example of this is our usage of GCP’s IAP (Identity-Aware Proxy), where having access to the private network is not enough to access a given system, and also being able to identify the user and grant access to the resources based on the user role and permissions is required.

As part of our continuous compliance and DevSecOps practices, we monitor GCP security event streams, like Container analysis and vulnerability scanning. We are notified when our base images have any vulnerabilities and take immediate action.

Application

We use Auth0 for user authentication both for customers and internally. We integrate it with our SSO solution to ensure employee access to our platform is verified and MFA is enforced. Our release pipeline is designed to only deploy changes to production that have been tested and approved by Application Code Owners. We thoroughly test every change on our pre-production environments before shipping it to production. We include security checks early in the release process to reduce the risk of introducing security bugs.

We use LaunchDarkly Feature Flags to quickly enable or disable product features for customers.

Company

We perform security background checks for all prospective employees prior to making an offer of employment. Our onboarding process also focuses on security and privacy. We require all employees to complete security training. We deploy a company-managed security solution agent to ensure workstation hard drives are encrypted, a password manager is being used and an antivirus solution is installed. Our security solution will alert us if any of these ever change on any workstation, which ensures we stay compliant.

Backups and Disaster Recovery

All of our Databases are hosted on GCP private networks and use Google Cloud Managed services exclusively. This includes Cloud SQL or Cloud Memorystore.

Access to databases is provided only to applications or select engineers via a GCP-managed IAP bastion server and Cloud SQL Auth proxy in order to provide IAM-based authorization and encryption when connecting to a Cloud SQL Instance.

Daily backups are enabled for all databases, as well as continuous point-in-time backups that allow us to restore data from any point in the past.

We follow GCP Best practices in terms of running our platform with High Availability and Fault Tolerance in mind and we are continuously iterating on this front. We take good pride in our technology stack and ensure it’s always improving. As Gene Kim put it in the Phoenix Project, “If you are not improving, entropy guarantees that you are actually getting worse, which ensures that there is no path to zero errors, zero work-related accidents, and zero loss.”

Encryption

We use encryption-at-rest on all our databases and more specifically, the 256-bit Advanced Encryption Standard (AES-256), with symmetric keys managed by GCP. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly.

In terms of encryption-in-transit, we enforce HTTPS communication on all of our services and use SSL SHA-256 ECDSA Certificates running on the latest TLS 1.3.

Compliance

As of March, 4th 2022, Momentum is officially SOC-2 Type 2 certified. We are thrilled about this, as not many companies of our size and stage achieve SOC-2. This is a testament to the continuous efforts we put towards Security and Privacy for our customers. If you are interested in our SOC-2 report, we are happy to share it after a NDA signature.

We also engage with an external security firm for Penetration Testing exercises on a regular cadence and can share these reports with customers and prospects upon NDA signature. For GDPR, CalOPPA and other privacy related matters, check out our Privacy Policy.

What’s next?

We believe that it’s not possible to be 100% secure in the current landscape of evolving threats. That’s why we always incorporate a percentage of security-related improvements to all of our development cycles and try to bring security in as early in the planning process as possible. If you have any questions or want to discuss further please reach out to security@momentum.io. We hope you found this article useful!