Security and Privacy at Itemize

Security is at the heart of what we do—helping our customers improve their data security and compliance posture starts with our own.

Data Protection

Data at rest

All customer data in datastores, including S3 buckets, is encrypted while at rest. Row-level encryption is also employed for sensitive collections and tables. This ensures that data is encrypted even before it is stored in the database, providing an additional layer of security. Unauthorized physical or logical access to the database is insufficient to read the most sensitive information.

Data in transit

Itemize employs TLS 1.2 or higher to encrypt data transmitted over potentially insecure networks. Additional security measures such as HSTS (HTTP Strict Transport Security) are utilized to enhance the protection of data in transit. The management of server TLS keys and certificates is entrusted to AWS.

Secret management

Encryption keys are managed using the AWS Key Management System (KMS). Key material is stored in Hardware Security Modules (HSMs) to prevent direct access by any individuals, including Amazon and Itemize employees. These keys stored in HSMs are utilized for encryption and decryption through Amazon’s KMS APIs.

Application secrets are encrypted and securely stored via AWS Secrets Manager and Parameter Store, with access strictly restricted to authorized personnel.

Product Security

Penetration testing

Itemize collaborates with a top-tier penetration testing consulting firm to conduct testing.

These assessments encompass all aspects of the Itemize product and cloud infrastructure, with full access to source code granted to testers to maximize their effectiveness and coverage. 

Vulnerability scanning

Itemize incorporates vulnerability scanning at critical stages of our Secure Development Lifecycle (SDLC):

  • Static analysis (SAST) testing is conducted during pull requests and on an ongoing basis to assess code integrity.
  • Software composition analysis (SCA) is performed to identify known vulnerabilities in our software supply chain.
  • Malicious dependency scanning is employed to prevent the introduction of malware into our software supply chain.
  • Dynamic analysis (DAST) is conducted on running applications.
  • Network vulnerability scanning is performed periodically.
  • External attack surface management (EASM) is continuously executed to identify new external-facing assets.

Data privacy

Privacy Shield

Itemize maintains an active Privacy Shield membership.

Regulatory compliance

Itemize evaluates updates to regulatory and emerging frameworks continuously to evolve our program.

Privacy Policy

View Itemize’s Privacy Policy.

Cookie-less visit tracking