This document contains summary information on Robot Morning's development, security, and compliance practices. Contact your account contact if you require more detailed information.
Our Development Practices
Source Code Management
Robot Morning uses Git as our source code management tool. We retain a full history of all code changes for the life of all of our products.
Code Change Management
Robot Morning implements Gitflow as part of our code change management. We enhance Gitflow by implementing code quality and functionality reviews that are governed by credential and role-based controls. These controls are robust enough to examine code changes and require approvals from multiple groups based on the type of change. Groups can include Product, Integration, Support, and Security.
Robot Morning has an internally-developed code style reference that we refer to as The Bible. The Bible contains coding patterns, common algorithms, language-specific best practices, and formatting.
A demonstrative excerpt from The Bible pertaining to development of APIs before clients or UI that will consume the API:
APIs must be developed and tested before development of consuming client code.
API testing must be performed using utilities that are not part of the consuming client code (e.g. Postman or similar apps).
If development of API and Client is split among developers, API developers must complete and test each API before turning it over to the client developer(s).
Our Security Practices
Data Storage for Cloud Services
Wherever possible, Robot Morning's software does not store customer-owned data in cloud services. For example, AXON retains customer-provided data in volatile memory only for the life of an AXON transaction.
Where Robot Morning must store customer-provided in cloud services, we segregate the data for each customer on distinct infrastructure. For example, data from two customers will never be in the same database or schema instance. We never mix data from customers.
In-Flight Encryption and Signing
All network-based communication used by Robot Morning's software is encrypted in flight at the strongest level supported by the systems involved in the communication.
Where our software is communicating with third-party software, our software always meets the maximum encryption supported by the third-party software.
Where our software is communicating with our software, the communication is always encrypted and signed using TLS v1.2 + HMAC-SHA1 with customer and application-specific public/private keys. All communication is nonced to prevent replay attacks.
Data stored by Robot Morning is encrypted at rest using the best encryption method supported by the platform. Where possible, this will mean hardware-level encryption followed by OS-level encryption followed by application-level encryption.
Robot Morning uses a database abstraction layer in our code that implements best practices to limit query greed, prevent SQL-injection attacks, and control data types. We limit the use of direct database queries (i.e. raw SQL). Where direct database queries are required in our software, we adhere to the principle of limited query greed and parameterized queries.
When Robot Morning's software must store a password, it does so using a one-way hash with a salt.
Our Compliance Practices
Robot Morning expects to achieve ISO 27001 certification by June 2021.
Robot Morning implements controls and policies including but not limited to the following:
- Acceptable Use Policy
- Access Rights Review
- Business Impact Analysis
- Change Management
- Data Retention Policy
- Disaster Recovery
- Electronic Communication Policy
- Information Security Incident Procedure
- Information Security Training
- Media Disposal
- Password Policy
- Risk Assessment
- Security Control Review
- Software Development Lifecycle
- System Application Network Access
- System Oversubscription Plan
- Virtual Machine Change Management
Robot Morning is compliant to NIST SP 800-171.
Robot Morning is compliant with ITAR, including restricting the release or transfer of export-controlled data to Foreign Persons as defined in eCFR §120.16.
Robot Morning uses only cloud services that are certified FedRAMP High.