Security and Privacy at Itemize
Security is at the heart of what we do—helping our customers improve their data security and compliance posture starts with our own.
Data Protection
Data at rest
All customer data in datastores, including S3 buckets, is encrypted while at rest. Row-level encryption is also employed for sensitive collections and tables. This ensures that data is encrypted even before it is stored in the database, providing an additional layer of security. Unauthorized physical or logical access to the database is insufficient to read the most sensitive information.Data in transit
Itemize employs TLS 1.2 or higher to encrypt data transmitted over potentially insecure networks. Additional security measures such as HSTS (HTTP Strict Transport Security) are utilized to enhance the protection of data in transit. The management of server TLS keys and certificates is entrusted to AWS.
Secret management
Encryption keys are managed using the AWS Key Management System (KMS). Key material is stored in Hardware Security Modules (HSMs) to prevent direct access by any individuals, including Amazon and Itemize employees. These keys stored in HSMs are utilized for encryption and decryption through Amazon’s KMS APIs.
Application secrets are encrypted and securely stored via AWS Secrets Manager and Parameter Store, with access strictly restricted to authorized personnel.
Product Security
Penetration testing
Itemize collaborates with a top-tier penetration testing consulting firm to conduct testing.
These assessments encompass all aspects of the Itemize product and cloud infrastructure, with full access to source code granted to testers to maximize their effectiveness and coverage.
Vulnerability scanning
Itemize incorporates vulnerability scanning at critical stages of our Secure Development Lifecycle (SDLC):
- Static analysis (SAST) testing is conducted during pull requests and on an ongoing basis to assess code integrity.
- Software composition analysis (SCA) is performed to identify known vulnerabilities in our software supply chain.
- Malicious dependency scanning is employed to prevent the introduction of malware into our software supply chain.
- Dynamic analysis (DAST) is conducted on running applications.
- Network vulnerability scanning is performed periodically.
- External attack surface management (EASM) is continuously executed to identify new external-facing assets.
Data privacy
Privacy Shield
Itemize maintains an active Privacy Shield membership.
Regulatory compliance
Itemize evaluates updates to regulatory and emerging frameworks continuously to evolve our program.
Privacy Policy
View Itemize’s Privacy Policy.