Security at Assura

Infrastructure

Cloud hosting — Amazon Web Services (AWS)

The Assura platform is deployed on Amazon Web Services, one of the world’s most widely used and audited cloud infrastructure providers. AWS maintains certifications including ISO 27001, SOC 1/2/3, and PCI DSS. Our deployment uses a high-availability architecture with automated failover to minimise downtime.

• All compute and storage runs within logically isolated Virtual Private Cloud (VPC) environments
• Automated daily backups with point-in-time recovery capability
• Infrastructure patching and updates applied on a regular schedule

Database — MongoDB Atlas

All platform data is stored in MongoDB Atlas, a fully managed cloud database service with built-in security controls.

• AES-256 encryption at rest applied to all data by default
• Network access restricted by IP allowlist — no public access to database endpoints
• Database audit logging enabled for all data access and modification events
• Automated backups retained for 30 days with one-click restore

Network — Cloudflare

All traffic to the Assura platform and website is routed through Cloudflare’s global network.

• Enterprise-grade DDoS protection with automatic mitigation
• Web Application Firewall (WAF) filtering malicious requests before they reach our servers
• Bot management blocking automated abuse and credential stuffing
• Global anycast network for low-latency access from across the Caribbean and beyond
• SSL/TLS certificates managed and renewed automatically

Data Encryption

Data state	Standard	Detail
Data at rest	AES-256	Applied at database and storage layer via MongoDB Atlas
Data in transit	TLS 1.3	All connections between browser and platform, enforced via Cloudflare. TLS 1.0 and 1.1 disabled
Passwords	Bcrypt	User passwords are hashed with bcrypt before storage. Plain text passwords are never stored or logged
Backups	AES-256	Backup snapshots are encrypted using the same standard as live data

Access Controls

Within the platform

• Role-based access control (RBAC) — users are assigned roles with defined permissions. Administrators control who can view, edit, or export records within your organisation
• Session management — authenticated sessions expire automatically after a period of inactivity
• Full audit log — every login, record creation, modification, and deletion is timestamped and attributed to a named user
• Entity isolation — on Enterprise plans, each client organisation is fully isolated. Users in one entity cannot access another entity’s records

Internal access (Assura staff)

• Access to production systems is restricted to authorised personnel only, on a least-privilege basis
• Multi-factor authentication is required for all staff access to infrastructure
• All internal access to production data is logged
• Staff are subject to confidentiality obligations and data protection training

Application Security

• Input validation and output encoding applied throughout the application to prevent injection attacks
• Cross-Site Request Forgery (CSRF) protection on all state-changing operations
• Content Security Policy (CSP) headers enforced to prevent cross-site scripting
• Security headers configured including HSTS, X-Frame-Options, and Referrer-Policy
• Dependencies regularly reviewed and updated to address known vulnerabilities
• Code changes reviewed before deployment to production

Incident Response

We maintain an internal incident response procedure covering detection, containment, investigation, notification, and post-incident review. In the event of a personal data breach affecting your organisation’s data, we will notify you without undue delay and in accordance with our obligations as your data processor under applicable Caribbean data protection law — enabling you to meet your own regulatory notification obligations.

Business Continuity

• Automated daily backups with a 30-day retention window
• High-availability deployment architecture — no single point of failure at the application layer
• Target recovery time objective (RTO): 4 hours
• Target recovery point objective (RPO): 24 hours
• Backup restoration tested periodically

Privacy by Design

Assura is built by a team of data protection professionals. Privacy considerations are embedded in every feature development decision — not added as an afterthought. Data minimisation, purpose limitation, and access restriction are applied as default design principles throughout the platform.

We process only the personal data necessary to provide the platform and do not use client compliance data for any secondary purpose including marketing, profiling, or analytics beyond platform improvement.

Data Processing Agreement

A Data Processing Agreement (DPA) is available to all Assura subscribers, governing our obligations as your data processor. The DPA is available at getassura.app/dpa.html. Enterprise clients may request a customised DPA as part of their engagement.

Security Documentation

Additional security documentation — including our information security policy summary, sub-processor list, and infrastructure security overview — is available on request to subscribers and prospective Enterprise clients.

Responsible Disclosure

If you discover a potential security vulnerability in the Assura platform, we ask that you report it to us responsibly before any public disclosure, giving us reasonable time to investigate and remediate. Please contact us at [email protected] with a description of the issue. We do not operate a formal bug bounty programme at this time but we take all responsible disclosures seriously and will acknowledge your report promptly.