Our Security Practices
optimyze.cloud Inc takes information security very seriously. Protecting our customers from compromise and disclosure of confidential data is ‘job zero’; it factors as the first consideration into everything we do. Our founders are award-winning experts in the security space and their experience informs our architectural decisions.
Continue reading below to learn more about our security practices and policies. Or, click the quick-link below to jump to a specific section:
The best data protection is not having the data
The single most important thing that any company can do to minimize the risk of disclosure of confidential data to unauthorized third parties is not having the data in the first place.
We take this as a guiding principle: Avoid collection of data that could potentially be related to PII. This means focusing strictly on data directly relevant to performance analysis and application control flow.
No remote access to client systems, write-only agents
Our profiling agent is intentionally designed in a way that prevents any third party (including us) from accessing systems on which it runs. It’s functionality is intentionally limited to collection of profiling data and sending this data out; there is (intentionally) no update functionality or other mechanism of compromising a system remotely through our agent.
Transparency to our users with regards to data collection
Our users deserve to know precisely what data we are collecting. We make this available on request as a detailed document, listing precisely every piece of data we can collect, and source code for the RPC interfaces to which the profiling agent talks.
Memory-safe languages
We use memory safe languages wherever possible. The profiling agent consists exclusively of Go and eBPF code (with the exception of a few lines of C code for x86 disassembly); we carefully screen any third-party dependencies to minimize the attack surface.
Token-based Two-factor authentication everywhere
We use two-factor authentication using Yubikeys for all employees. Reading company email, accessing production systems, access to Github etc. all require the use of 2FA via Yubikeys.
Encryption at Rest via AWS
We rely on AWS to provide encryption-at-rest to our backend services.
Encryption in Transit
We use TLS everywhere for traffic integrity and confidentiality.
Transparency for security reviews of the profiling agent
Nothing builds trust like transparency. We therefore make the source code of the profiling agent available on request (under NDA and with the specific purpose of security review).
Third-party certification
SOC2 is increasingly becoming an industry standard for SaaS companies; we are currently in the process of obtaining SOC2 Type 2 certification for our practices and infrastructure.