Organizational Data Management and Security
Data security is a core function of our organization and is the foundational requirement for all new feature development. Cascade Energy maintains Business Continuity and Disaster Recovery Plans and these playbooks are reviewed at least once a year through tabletop exercises. We also have a well-defined Incident Response Policy to aid us in the resolution of an incident and ensure that appropriate post-mortems and root cause analyses are completed, even for near-miss incidents.
All Cascade employees undergo a background check prior to hire and complete annual security training which covers topics such as data classification and privacy, information security, password security, phishing, and social engineering hacks. Energy Sensei developers also undergo additional annual training targeted towards software application security. We also identify Data Sponsors for each customer contract and the identified sponsors are required to do additional training around Data Security. Employee workstations are configured with full-disk encryption, strong password policies, and automatic software updates.
We store and protect client and customer data using secure infrastructure and highly available services and datastores in Amazon Web Services (AWS). The data is backed up regularly and the backups are also tested regularly following our Information Security Policy. AWS data centers are SOC 1, SOC 2, and ISO 27001 certified.
We follow the principle of least privilege, granting access to the infrastructure and application only as required to perform the required job function. AWS employs a robust security program with multiple certifications and attestations that, along with a shared security model with Energy Sensei, ensures our servers and your data are both physically and digitally secure.
Your data and metadata are encrypted at rest using an industry-standard AES-256 encryption algorithm. Web connections to Energy Sensei are through Transport Layer Security (TLS) 1.2 and above and insecure connections using TLS 1.0 or below are prohibited.
Application Security and Secure Software Development Lifecycle
The Energy Sensei Software Development Team follows a comprehensive approach to software development by adding security checks at each phase of our documented software development life cycle policy, from requirements gathering to deployment and maintenance. Security requirements such as role-based access control policies are written alongside feature requirements. This empowers our team to build secure applications from the outset. Our design practices enable us to design for privacy and intuitiveness by displaying the least amount of information necessary for a job function. Several types of automated testing such as integration, unit testing, and acceptance testing are integrated into the code development phase and all new code is peer-reviewed for functional completeness and accuracy. Manual QA tests are performed as a further final check before deployment to a production environment.
Energy Sensei infrastructure and source code undergo automated scanning for vulnerable packages and the identified vulnerabilities are mitigated according to the guidelines laid out in our Information Security Policy. The Energy Sensei application also undergoes annual penetration testing to uncover hidden system vulnerabilities that are remediated before they become an issue to our customers.