Platform Security

Infrastructure Security

Modzy was built to be installed and run on On-Premise or Air-gapped infrastructure to meet the most stringent security and compliance requirements. Alternatively, get started quickly in your Cloud infrastructure (AWS, Azure) with our pre-made Terraform Templates built to comply with moderate-level controls found within the latest NIST 800-53 revision. Because Modzy is installed on your infrastructure and within your network boundary, many of the controls are inherited from your organization's information security and privacy policies and procedures.

Application Security

Encryption In Transit

All traffic coming into Modzy is encrypted using TLS 1.2 or higher. Each customer is able to use their own domain and a TLS certificate issued by their preferred Certificate Authority.

Encryption At Rest

Modzy encourages the use of encrypted volumes, object stores, and databases. Our Terraform Templates set up encryption at rest by default for all data storage locations. Sensitive data submitted to Modzy will be just-in-time encrypted before storage and can only be decrypted by the services that require the ability to read it. This ensures that even if your encrypted storage has unauthorized access that your data will remain safe.

Authentication and Role-Based Access Control

• All access to the Modzy user interface and APIs are governed by role-based access control
• Single-Sign On (SSO) compatibility is available for accessing Modzy's user interface
• User interface access integrates with your existing SAML2.0-based SSO identity provider

API Key Security

Programmatic access to the Modzy API uses a Modzy-issued API Key. All Modzy-issued API Keys are assigned to a person for auditing and accountability. Modzy-issued API Keys are viewable in their full plaintext form exactly once on issue, afterward half the key is permanently one-way encrypted to prevent future access. The unencrypted portion of the key is used to identify which key was used to perform every action against the Modzy API.

Logging and Auditing

All Modzy API activity is logged and auditable by users with the appropriate role-based access control.

Software Security

All Modzy software source code is US-based and is delivered via OCI-compliant containers that are verified to be free of Critical and High CVEs.