Back

Data Security is Paramount to Good Data Stewardship: How We Protect Data at Archipelago

Data Security is Paramount to Good Data Stewardship: How We Protect Data at Archipelago

Roger Bodamer

Co-Founder, CTO & COO, Archipelago

Roger Bodamer

CTO & COO, Archipelago

Protecting your Data: View from the CTO

As an enterprise software company entrusted with storing and managing customer data, we consider data security of utmost importance. To help you formulate your data security practices, I’ll share what we do at Archipelago to keep our data secure—in many cases, we significantly go above and beyond current data security norms.

Platform Architecture

We put a lot of thought into the design of our platform as we knew we’d have to store sensitive customer data. At the architecture level, we made sure we did everything we could to keep data secure. To minimize legal exposure as much as possible, we store only the required information on the platform, and nothing more.

This philosophy includes PII (Personally Identifiable Information). While the definitions of and regulations around PII are still evolving, our platform is designed to be compliant and up-to date with the various privacy regulation standards.

We’re also in the process of becoming SOC-2 compliant. A nice side benefit of SOC-2 is that it simplifies the vendor risk assessment for large enterprise prospects. Having said that, we have already passed security audits and questionnaires from our customers, some of which are the largest companies in our industry.

How We Designed a Secure System for Sharing SOVs

The current industry practice during the placement process entails SOVs (spreadsheets with portfolio information) being shared with the market. More often than not, these SOVs are shared via email. These files can be so large, Gmail automatically turns them into Google Drive files. On other email clients, a Dropbox or Box folder might be required for sharing. This means these files are now in a folder with default settings, which could be anything, including open to the public.

Also, after the file is sent, the sender has essentially lost any control of that file. The recipient can forward the spreadsheet to others or edit it with any auditing trail. Lastly, there’s not a way  for the original sender to see who has opened the file, nor who has access to it.

We’ve eliminated both these problems on Archipelago’s platform. By creating a closed and secure system within our upload portal, the sender shares their information directly with our platform, eliminating any middle man and potential unwanted exposure.

Once the portfolio is shared on the platform, SOVs are no longer forwarded but, rather, permissioned for the platform's intended recipient. Access requires an account, so the sender can see who's accessed the shared stream.

This puts the control back into the hands of the customer and creates an accountability trail; a marked improvement over the current industry mechanisms.

General Platform Security Principles

The Archipelago platform is natively built in the cloud with Amazon Web Services (AWS). AWS itself uses a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

We put a lot of effort into both physical and environmental security to protect the service against unauthorized access, use and modification. We encrypt data (including backups) in transit and at rest. As well, communication between the user and the platform is encrypted. Databases can only be accessed using authorized services, and in turn, these authorized services can only be accessed by authorized clients over the internet.

User Security

Our platform is a web application, which connects a browser to our application tier. We use state of the art challenge/response authentication. This means that the user needs to have access to the corporate email address they used during sign up. Our authentication is built using Auth0, an incredibly robust framework and standard that prevents bad actors from gaining access and monitors access to detect anomalies.

Personnel / Employee Security

Production access is limited to a small subset of employees, all of whom have been trained in our security processes and have passed a background check. Any changes to the platform require a 2-step sign-off, publish, and approval process. Security Incident Response Archipelago maintains an incident response plan designed to establish a reasonable and consistent response to security incidents, and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to proprietary data or personal data transmitted, stored, or otherwise processed by Archipelago.

For More Information

We have a standard security page with more details here.

Of course, there's a lot more to security than what fits on this page. If you have any questions or feedback, please don’t hesitate to reach out to me: roger at onarchipelago.com. Thanks for reading!

Data Security is Paramount to Good Data Stewardship: How We Protect Data at Archipelago

About the author

Roger Bodamer is the Chief Technology Officer and COO of Archipelago. Previously, he was the Founder/CEO of Upthere, EVP of Product at MongoDB, and VP at Apple Computer.

See how leaders like you are using the Archipelago Risk Data Platform to drive better outcomes:
Get Diagnostic Assessment or Request Software Demo

Protecting your Data: View from the CTO

As an enterprise software company entrusted with storing and managing customer data, we consider data security of utmost importance. To help you formulate your data security practices, I’ll share what we do at Archipelago to keep our data secure—in many cases, we significantly go above and beyond current data security norms.

Platform Architecture

We put a lot of thought into the design of our platform as we knew we’d have to store sensitive customer data. At the architecture level, we made sure we did everything we could to keep data secure. To minimize legal exposure as much as possible, we store only the required information on the platform, and nothing more.

This philosophy includes PII (Personally Identifiable Information). While the definitions of and regulations around PII are still evolving, our platform is designed to be compliant and up-to-date with the various privacy regulation standards.

We’re also in the process of becoming SOC-2 compliant. A nice side benefit of SOC-2 is that it simplifies the vendor risk assessment for large enterprise prospects. Having said that, we have already passed security audits and questionnaires from our customers, some of which are the largest companies in our industry.

How We Designed a Secure System for Sharing SOVs

The current industry practice during the placement process entails SOVs (spreadsheets with portfolio information) being shared with the market. More often than not, these SOVs are shared via email. These files can be so large, Gmail automatically turns them into Google Drive files. On other email clients, a Dropbox or Box folder might be required for sharing. This means these files are now in a folder with default settings, which could be anything, including open to the public.

Also, after the file is sent, the sender has essentially lost any control of that file. The recipient can forward the spreadsheet to others or edit it with any auditing trail. Lastly, there’s not a way  for the original sender to see who has opened the file, nor who has access to it.

We’ve eliminated both of these problems on Archipelago’s platform. By creating a closed and secure system within our upload portal, the sender shares their information directly with our platform, eliminating any middle man and potential unwanted exposure.

Once the portfolio is shared on the platform, SOVs are no longer forwarded but, rather, permissioned for the platform's intended recipient. Access requires an account, so the sender can see who's accessed the shared stream.

This puts the control back into the hands of the customer and creates an accountability trail; a marked improvement over the current industry mechanisms.

General Platform Security Principles

The Archipelago platform is natively built in the cloud with Amazon Web Services (AWS). AWS itself uses a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.

We put a lot of effort into both physical and environmental security to protect the service against unauthorized access, use, and modification. We encrypt data (including backups) in transit and at rest. As well, communication between the user and the platform is encrypted. Databases can only be accessed using authorized services, and in turn, these authorized services can only be accessed by authorized clients over the internet.

User Security

Our platform is a web application, which connects a browser to our application tier. We use state-of-the-art challenge/response authentication. This means that the user needs to have access to the corporate email address they used during sign-up. Our authentication is built using Auth0, an incredibly robust framework and standard that prevents bad actors from gaining access and monitors access to detect anomalies.

Personnel / Employee Security

Production access is limited to a small subset of employees, all of whom have been trained in our security processes and have passed a background check. Any changes to the platform require a 2-step sign-off, publish, and approval process. Security Incident Response Archipelago maintains an incident response plan designed to establish a reasonable and consistent response to security incidents and suspected security incidents involving the accidental or unlawful destruction, loss, theft, alteration, unauthorized disclosure of, or access to proprietary data or personal data transmitted, stored, or otherwise processed by Archipelago.

For More Information

We have a standard security page with more details here.

Of course, there's a lot more to security than what fits on this page. If you have any questions or feedback, please don’t hesitate to reach out to me: roger at onarchipelago.com. Thanks for reading!

Data Security is Paramount to Good Data Stewardship: How We Protect Data at Archipelago

About the author

Roger Bodamer is the Chief Technology Officer and COO of Archipelago. Previously, he was the Founder/CEO of Upthere, EVP of Product at MongoDB, and VP at Apple Computer.

See how leaders like you are using the Archipelago Risk Data Platform to drive better outcomes:
Get Diagnostic Assessment or Request Software Demo

"As an enterprise software company entrusted with storing and managing customer data, we consider data security of utmost importance. To help you formulate your data security practices, I'll share what we do at Archipelago to keep our data secure..."

View from the CTO As an enterprise software company entrusted with storing and managing customer data, we consider data security of utmost importance. To help you formulate your data security practices, I’ll share what we do at Archipelago to keep our data secure—in many cases...

More from Thought Leaders

"...the availability of digital twins for properties, and their risk characteristics, opens up new possibilities for insurance to help with the risk management of properties. Connected data and real-time analytics can improve..."

Sean Ringsted

Executive Vice President, Chubb Group Chief Digital and Risk Officer

Read more
This is some text inside of a div block.
"This is just the beginning of the new possibilities. Next steps for us include expanding utilization of the platform to our Asset Management business, and we believe there will be material cost savings in the future by us doing so."

Ian Ascher

Executive Director, Global Risk Management, JLL

Read more
This is some text inside of a div block.
We are excited to share Advisen's 2021 Property Risk Management Survey.

The Archipelago Team

Archipelago

Read more
This is some text inside of a div block.