Overview
Locale is committed to building a business event monitoring platform that's held to the highest possible security standards, as we work with large logistics, financial, and healthcare enterprises to enable proactive operations on top of their data
This document breaks down our security and infrastructure in greater detail and also outlines a couple of options each customer has for data transfer and storage, with associated considerations.
Basic Architecture Overview
Locale connects to your data warehouse (similar to any Business Intelligence tool). We can connect through an SSH or reverse SSH tunnel, and once you've obtained a connection you'll be able to define events you want to monitor and send to downstream tools, via SQL. Read our database connection document for more information on how you can connect your database or data warehouse.
An alert definition defines what notifications to send, and how often they should run. When a Locale run initiates, Locale executes the SQL query (associated with your alert) on your data warehouse, identifies only the incremental rows that need to be sent to the associated downstream tool or alerted on, and will then translate these rows to the appropriate APIs for sending you the alert.
Customer data is only flowing through our infrastructure during an "alert run," is encrypted in transit via TLS as it is flowing through our system, and our compute instances are not exposed to the internet (and are secured according to GCP cloud security best practices).
After sending data downstream, Locale stores the full query results in a database using standard AES-256 encryption algorithms. These results are only used for checking for incremental rows in subsequent runs and avoiding spammy alerts. Only the results of your last run are actively stored and all previous data is deleted permanently from the system.
Data Flow
Data into System
Data into the system only comes from running SQL queries on top of your warehouse or through our API triggers. The data only goes through the platform during an active run and no data is queried or stored outside of it.
Data at Rest
Customer Data stored in the Locale.ai platform are the results after an active run. Only the latest run results are stored in order to deduplicate data for subsequent runs. All stored data is encrypted via AES 256 encryption.
Secure key management: We define an encryption approach that includes the storage, rotation, and access control of keys to provide protection for content against unauthorized users and against unnecessary exposure to an authorized user
Data through System
Locale.ai encrypts all data entering or leaving Locale.ai infrastructure with TLS/HTTPS. Additionally. Each account’s data is logically separated, and access to your data is protected by strong authentication and authorization controls.
Data out of System
Locale.ai integrates with a variety of third-party tools so developers can combine error data from Locale.ai with data from other systems, manage workflows efficiently, and be alerted of errors through notification and chat tools, in addition to email and SMS. Therefore, Locale.ai’s high standards for security and compliance also extend to its partner network.
Access Security
Permissions and Authentication
Access to cloud infrastructure and other sensitive tools is limited to authorized employees who require it for their roles. Where available we have Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies to ensure access to cloud services is protected.
Least Privilege Access Control
We follow the principle of least privilege with respect to identity and access management.
Quarterly Access Reviews
We perform quarterly access reviews of all team members with access to sensitive systems.
Password Requirements
All team members are required to adhere to a minimum set of password requirements and complexity for access.
Password Managers
All company-issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.
Infrastructure and Network Security
Physical Security
Locale.ai is hosted on the Google Cloud Platform with dedicated infrastructure for each of our clients. Locale.ai employees do not have physical access to GCP data centers, servers, network equipment, or storage.
Logical Access Control
Locale.ai is the assigned administrator of its infrastructure on GCP, and only designated authorized Locale.ai operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
Access Logging
Systems controlling the management network at Locale.ai log to our centralized logging environment to allow for performance and security monitoring. Our logging includes system actions as well as the logins and commands issued by our system administrators.
Third-Party Audit
Google Cloud Platform (GCP) undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
Contact us
If you have any comments, concerns, or questions about data security, privacy policy, or our privacy practices in general, please send an email to security@locale.ai