Security Program

Split's security program includes appropriate technical and organizational safeguards that help protect your data as it moves through the Split service. Information about these safeguards is organized by category. Our security program documentation describes additional safeguards we maintain. Should you have any questions please contact our support team at support@split.io or our security team at security@split.io.

 Authentication and authorization

User account assignment. We assign individual user accounts to personnel who access Split systems and devices. These assignments help us monitor and enforce accountability of user activity.

User-level privileges. Our systems and devices enforce user roles or similar measures to control the extent of access we grant individual users.

Multi-factor authentication. We enforce multi-factor authentication to better secure our computing resources from unauthorized logins.

 Application security

Secure software development. We provide training to Split developers to help identify and prevent common software vulnerabilities and to comply with applicable privacy laws. Developer code undergoes peer review prior to deployment, and internal security engineers and third-party security auditors periodically analyze code for software components with higher potential security risk.

Web application security review. A third party assesses the security of the Split web application annually. We address findings from this assessment according to the risk they pose to the security of the Split service.

 Network and infrastructure security

Network security reviews. We regularly perform vulnerability scans and third-party penetration tests on the Split network. We review and address findings from these activities to help maintain the security of our network.

Configuration standards. We document and follow configuration standards to maintain secure systems and network devices. These standards include business justification for used ports, protocols, and services, as well as the removal of insecure default settings.

Vulnerability and patch management. To maintain awareness of potential security vulnerabilities, Split subscribes to several security distribution lists. We validate and implement security patches for critical vulnerabilities within 24 hours of discovery. For non-critical vulnerabilities and updates, we schedule and deploy vendor-provided patches on a regular basis.

 Encryption

Secure data transmission. Split leverages in-transit and at-rest encryption to help secure data sent between Split and our cloud infrastructure provider.

Key storage and access security. We store private keys in encrypted repositories, and we restrict access to personnel who support our key management processes.

 Datacenter and physical security

Split hosts its application in Amazon Web Services. As such, data center and physical security is not applicable.

 Business continuity and operational resilience

Service failover. We deploy cloud-hosted products in multiple infrastructure availability zones to help maintain those services when operational issues occur. If failure of a service occurs within a single availability zone, Split will automatically failover to another availability zone.

Service monitoring. We monitor multiple internal and external reporting channels to detect service-related issues. Personnel are available 24x7x365 to confirm and respond to disruptions of the Split service.

Communication and reporting. We update impacted customers using various communication methods (such as status.split.io), depending on an incident's scope and severity.

 Security and incident management

Security Response. We monitor a variety of communication channels for security incidents, and our security personnel will react promptly to known incidents.

Incident response plan. We maintain a formal incident response plan with established roles and responsibilities, communication protocols, and response procedures. We review and update this plan periodically to adapt it to evolving threats and risks to the Split service.

Incident response team. Representatives from key departments help address security-related incidents we discover. These personnel coordinate the investigation and resolution of incidents, as well as communication with external contacts as needed.

Breach notification. Split will notify affected customers without undue delay and in any event, within 48 hours of validating an unauthorized disclosure of customer confidential information. When required to do so under applicable privacy laws, Split will notify relevant regulators and data subjects.

 Logging and monitoring

Log analysis. We aggregate and securely store Split internal system activity. Monitoring these logs helps us discover and investigate potential security issues.

Change and configuration monitoring. We use multiple monitoring and alert mechanisms to enhance the visibility of technology changes and help ensure adherence to our change management process.

Intrusion detection. We maintain mechanisms to detect potential intrusions at the network and host level. Our Security team inspects and responds to events these detection measures discover.

 Customer and end user data management

Account Controls. Our platform supports fine-grained access controls that allow your team to specify who can access what and limit access to those who need to access customer and end-user data. Split ensures that its employees who have access to customer and end-user data have an appropriate obligation of confidentiality.

Data Isolation. Customer data is stored in our production environment under strict access control, logging and monitoring.

Secure Deletion. Our secure delete processes ensure that customer data that is no longer needed is securely disposed of by deleting it or anonymizing it.