Keeping customer data safe and secure are our top priorities. We work hard to protect our systems and customers from security threats and follow the highest security protocols in the industry. Our company has received the ISO 27001 and SOC 2 certifications and we are GDPR compliant; we are actively working towards CPRA (formerly CCPA) compliance. You can read about our security programs and practices below.
At C6 Insights, we pride ourselves on keeping our security, data, and service policies updated and public.
All our employees and contractors (workers) sign confidentiality agreements before gaining access to our codebase and data. Every employee is trained and made aware of security concerns and best practices for their systems, during onboarding as well as on a periodic basis. We log all access to all accounts by IP address. Access is granted to production servers only as required and is provisioned on an as-needed basis.
Access to servers is limited by role based access through IAM that enforces segregation of duties and 2 factor authentication.
C6 Insights servers that persistently store customer data are hosted by Amazon Web Services (AWS). AWS's data center is SOC 1, SOC 2 and SOC 3 compliant. AWS also logically isolates each customer’s Cloud Platform data from that of other customers and users. All data is stored and processed in AWS US West (Oregon) Region located in the United States.
Custom-designed electronic access cards
Alarms
Vehicle access barriers
Perimeter fencing
Metal detectors
Biometrics
Data Center floor features laser beam intrusion detection
24/7 high resolution interior and exterior cameras that can detect and track intruders
Access logs
Activity records
Camera footage is available in case of incident
Patrolled by experienced security guards
Rigorous background checks and training
Redundant Power Systems
Environmental controls
Diesel engine backup generators
Cooling systems
Fire Detection and Suppression equipment
For further information on AWS Security and Compliance refer the following links
We maintain a robust application security program, covering the following
During software design through security reviews and risk assessment
During implementation through security development training for employees and secure code review guidelines
During deployment through strict manual and automated code review requirements
Customer passwords are hashed and stored using the bcrypt algorithm
C6 Insights Incident Management policy requires that any and all suspected or confirmed Data Security incidents must be immediately reported to the Data Protection Officer. An ‘incident’ is defined as any event that compromises the integrity, confidentiality or availability of an information asset. The DPO will engage with the Incident Response Team and coordinate with the management and the legal counsel to take appropriate actions to meet our obligations and mitigate the impact to consumers, employees or the Company from the incident.
Our disaster recovery plans require that data in the production environment be frequently snapshotted and stored durably in multiple geographic locations in the US. Backups are maintained for the duration of the customer relationship and for one year after the termination of an agreement unless otherwise specified or required by law.
In the event of an exception, operations personnel perform troubleshooting to identify the root cause and then re-run the backup job immediately or as part of the next scheduled backup job.
Backup infrastructure is maintained in AWS, with physical access restricted according to applicable AWS policies. All backups are encrypted using KMS-managed encryption keys, with access restricted to key personnel via AWS IAM permissions.
When a user uses the C6 Insights platform, details of their interactions are captured and sent to C6 Insights through API calls secured over HTTPS, based on configurations set by the customer. All of our other APIs and websites use HTTPS exclusively. All data transferred over HTTPS is encrypted. C6 Insights uses SHA-256 with RSA encryption compliant cipher suites to secure data in transit. Further, the data is encrypted and authenticated in transit at one or more network layers when data moves outside physical boundaries not controlled by AWS or on behalf of AWS. All our servers are hosted within a Virtual Private Cloud with fine grained security control. Within our datacenter VPC’s, data may be transferred unencrypted. Further details may be found here.
Your data is encrypted using the 256-bit Advanced Encryption Standard (AES-256), or better, with symmetric keys: that is, the same key is used to encrypt the data when it is stored, and to decrypt it when it is used. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly. Further details may be found here.
Customer data is secured in transit using TLS and encrypted at rest within the application. C6 Insights also logically separates data across accounts and access to your data is protected by strong authentication and authorization controls.
All customer data is tagged with a project-specific token, and a customer must have access to the corresponding API key and secret in order to retrieve that data via API (access to the web UI is controlled via username and password). This provides logical separation between data belonging to multiple clients. C6 Insights is the sole tenant on our infrastructure. A customer’s data may reside on database systems which house data belonging to other customers, but our logical controls (token, key and secret) separates one client from another client’s data.
C6 Insights is a carbon management platform providing industry-leading emissions and sustainability analytics for vehicle fleets. Our mission is to accelerate the decarbonization of the transportation sector through better measurement, education, and engagement, showing companies how they can benefit financially by reducing their carbon footprint.
