To the credit of inquirers, while we receive more polished versions of the typical questions the core concerns are the same when it comes to remote work, global, offshore, Drupal in India, outsourcing:
How secure can a fully-distributed, “global” Drupal delivery partner’s work be?
If they’ve employees based “offshore,” can they really be trusted with data?
Will working with an outsourcing partner risk security for our clients?
Axelerant is a globally distributed team of over 80, with trusted access to enterprise-level platforms and sensitive data. It’s worth mentioning that our engineering teams are trusted by leading technologists, account managers, CEOs and system administrators at Acquia, Stanford University, Wunderman, Red Hat, and many other incredible organizations.
Why do they trust us, in long-form? Our protection comprised of technical and non-technical policies, procedures, and controls, protects your organization from internal and external threats. Reading, understanding, accepting and adapting to Axelerant's security guidelines is a part of every team member's induction process.
Our promise has to be that with us, your confidential data, financial records, and organization assets are safe from hackers, script kiddies, and spammers.
Because a chain is only as strong as its weakest link, Axelerant takes a holistic approach to cybersecurity, from planning to implementation, down to the level of the individual team member. This article specifically sheds light on the Security Compliances at Axelerant.
Axelerant's Security Policies
Axelerant has established the following policy to safeguard the security, confidentiality, availability, and integrity of our data, that of our personnel, partners, and their end-clients. With that being said, the content management system, customer relationship management, and e-commerce databases and database exports are always treated as confidential, since these contain personal information.
What are the primary goals of our Security Policy?
Protect: clients' confidential and personal information
Reduce: potential liability of Axelerant
Maintain: a consistent policy that is easy to understand, implement and follow
Educate: our best practices for security throughout the Axelerant community
Demonstrate: to clients that we are trustworthy and satisfy contractual requirements for security
The policies are divided into two groups to make it simple to understand.
Personal information, for example, name, email address, mailing address, telephone, passwords, and all records and files directly relating to a person that are not publicly available
Proprietary client information, for example, intranet/extranet content, files or data, unpublished/staged content, project planning/design documents or source code produced by the client or 3rd party vendors; this may include information covered by a non-disclosure agreement (NDA), but even in the absence of such an agreement we should treat information provided by clients as confidential unless instructed otherwise
Confidential business information of Axelerant or a client, including engagement terms
Communications involving legal advice or discussions that are intended to be protected by attorney-client privilege or the work product doctrine
Internal Axelerant information, for example, information regarding our IT security, accounting, finance or human resources, unless by prior agreement by a member of the management team
Free and Open Source ("FOSS") licensed source code (e.g., GPL/AGPL), such as projects downloaded from drupal.org. This also includes all FOSS source code written by Axelerant, except for files containing credentials
Free and Open Source licensed creative assets (e.g., Creative Commons); this also includes project planning/design documents authored by Axelerant, as well as training materials and other incidentals, that have been designated Open Source
Information that is publicly available, including client information on public-facing web site pages
Additionally, all the sensitive information is stored in LastPass's vault and is secured via AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256 standards. All the services and applications that we use are hosted SaaS platforms and have Two Factor Authentication (2FA) enabled. Also, Axelerant works under the guidelines of our partners who interface with the end-client, adding an extra layer of security protection.
Our team members are also instructed that if you are unsure about the confidentiality of a piece of information, you should ask someone who can give a qualified answer, in the meantime, work from the assumption that the piece of information is confidential.
Along with these internal best practices that we’ve built on over the years, our team members and clients are also provided with a secure project closure checklist. Here's a look at it:
Secure Project Closure Checklist
As part of our development best practices, we have captured important activities and checkpoints at various stages of development into checklists that we religiously follow.
Delete all Partner and Customer source code from your local machine and any other applicable instances, backups or copies
Delete all Partner and Customer data elements from your local machine and any other applicable instances, backups or copies
Delete all Customer databases from your local device and any other relevant cases, backups or copies
Delete all Customer testing data from your local machine and any other applicable instances, backups or copies
Delete all Partner and Customer access configurations, for example, usernames, passwords, URLs, from your local machine and any other applicable instances, backups or copies
Delete all Partner and Customer -related proprietary information from your local device and any other applicable instances, backups or copies
Is Axelerant's security unbreachable? Well, is any agency’s security unbreachable? We are a work in progress and improving every day with measures like sharing passwords and sensitive information only via LastPass and not through chats though Slack is a secure platform. We are more closely scrutinizing who gets access to which platforms as they may contain sensitive client information. We have a team preparing for additional security training and knowledge sharing sessions. We know what's ideal, and we are getting there.
To those with the responsibility of choosing, we get it.
Selecting a stable, secure Drupal Agency Partner with strict security practices can be daunting, especially if they’re located in a part of the world you’re unfamiliar with. But what’s riskier: an agency partner or forming part of a team with unfamiliar freelancers or contractors.
With 8+ years of delivering enterprise-level Drupal projects with big names, it’s not just your agency’s brand or your client’s security on the line. It’s our reputation. By securing our services, we’re securing our future as the go-to global delivery partner.