[{"data":1,"prerenderedAt":333},["ShallowReactive",2],{"/legal/security-policy":3},{"id":4,"title":5,"body":6,"description":324,"extension":325,"meta":326,"navigation":330,"path":327,"seo":331,"stem":332},"legal/legal/security-policy.md","Security Policy",{"type":7,"value":8,"toc":297},"minimal",[9,13,23,32,37,40,44,47,50,53,57,60,84,88,91,96,99,109,117,120,128,132,135,142,146,149,163,169,173,177,180,184,187,191,194,198,201,205,208,214,218,221,225,229,232,235,239,242,246,249,253,256,276,280,283,287,290,294],[10,11,12],"p",{},"This policy outlines:",[14,15,16,20],"ol",{},[17,18,19],"li",{},"GalaxyWorks's security practices and resources, and",[17,21,22],{},"Your security obligations.",[10,24,25,26,31],{},"Obligations under this policy (both ours and yours) are incorporated by\nreference into the GalaxyWorks ",[27,28,30],"a",{"href":29},"/legal/terms-of-service","Terms of\nService",".",[33,34,36],"h1",{"id":35},"our-obligations","Our Obligations",[10,38,39],{},"Without limiting any provision of the GalaxyWorks Terms of Service, we will\nimplement reasonable and appropriate measures designed to help you secure Your\nContent against accidental or unlawful loss, access, or disclosure.",[33,41,43],{"id":42},"your-obligations","Your Obligations",[10,45,46],{},"Our documentation may specify restrictions on how the Services may be\nconfigured, or specifications for Galaxy Pro instances such as tools and\nworkflows. You agree to comply with any such restrictions or specifications.",[10,48,49],{},"You are responsible for properly using the Services and taking your own steps to\nmaintain appropriate security, protection, and backup of Your Content, which may\ninclude the use of encryption technology to protect Your Content from\nunauthorized access and routinely archiving Your Content. GalaxyWorks provides\nmany built-in controls for you, as discussed herein. You are ultimately\nresponsible for determining whether the security controls applied to your\nServices and data are sufficient for your requirements.",[10,51,52],{},"GalaxyWorks access credentials generated by the Services are for your use only.\nYou may not sell, transfer or sublicense them to any other entity or person.",[33,54,56],{"id":55},"requesting-penetration-testing-authorization","Requesting Penetration Testing Authorization",[10,58,59],{},"You may conduct penetration tests of your Galaxy Pro instance. To do so, please\ncontact us with the following information:",[61,62,63,66,69,72,75,78,81],"ul",{},[17,64,65],{},"Start and end times for the scan window (YYYY-MM-DD HH:SS format)",[17,67,68],{},"Instance(s) to be tested",[17,70,71],{},"Source IPs (and owners of those IPs) for the scan",[17,73,74],{},"Peak bandwidth in Gbps",[17,76,77],{},"Expected peak requests per second",[17,79,80],{},"Whether you or the testing company have an NDA in place with Amazon Web\nServices",[17,82,83],{},"Name, email, and phone for a point of contact for both you and the testing\ncompany",[33,85,87],{"id":86},"reporting-security-vulnerabilities","Reporting Security Vulnerabilities",[10,89,90],{},"If you discover a potential security vulnerability, please see our policy on\nResponsible Disclosure. We strongly prefer that you notify us in private.\nPublicly disclosing a security vulnerability without informing us first puts the\ncommunity at risk. When you notify us of a potential problem, we will work with\nyou to make sure we understand the scope and cause of the issue. Thank you!",[92,93,95],"h2",{"id":94},"_1-data-center-security","1. Data Center Security",[10,97,98],{},"GalaxyWorks runs on the Amazon Web Services (AWS) global infrastructure\nplatform.",[10,100,101,102,108],{},"AWS publishes an ",[27,103,107],{"href":104,"rel":105},"https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf",[106],"nofollow","\"Overview of Security Processes\"\nwhitepaper","\nthat serves as the reference material for this section. SOC 2 reports are\navailable directly from AWS upon request.",[110,111,113],"h3",{"id":112},"_1a-compliance",[114,115,116],"strong",{},"1.A - Compliance",[10,118,119],{},"AWS computing environments are continuously audited, with certifications from\naccreditation bodies across geographies and verticals, including ISO 27001,\nFedRAMP, DoD CSM, and PCI DSS. Additionally AWS also has assurance programs that\nprovide templates and control mappings to help customers establish the\ncompliance of their environments running on AWS against 20+ standards, including\nthe HIPAA, CESG (UK), and Singapore Multi-tier Cloud Security (MTCS) standards.",[10,121,122,123],{},"p. 6 - ",[27,124,127],{"href":125,"rel":126},"https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf",[106],"\"Introduction to AWS Security - July\n2015\"",[110,129,131],{"id":130},"_1b-physical-security","1.B - Physical Security",[10,133,134],{},"AWS data centers are housed in nondescript facilities. Physical access is\nstrictly controlled both at the perimeter and at building ingress points by\nprofessional security staff utilizing video surveillance, intrusion detection\nsystems, and other electronic means. Authorized staff must pass two-factor\nauthentication a minimum of two times to access data center floors. All visitors\nand contractors are required to present identification and are signed in and\ncontinually escorted by authorized staff.",[10,136,137,138],{},"p. 5 - ",[27,139,141],{"href":104,"rel":140},[106],"\"Amazon Web Services: Overview of Security Processes - May\n2017\"",[110,143,145],{"id":144},"_1c-environmental-security","1.C - Environmental Security",[10,147,148],{},"AWS data center environmental controls include:",[61,150,151,154,157,160],{},[17,152,153],{},"Fire detection and suppression systems",[17,155,156],{},"Redundant power systems, backed by Uninterruptible Power Supply units and\ngenerators",[17,158,159],{},"Climate and temperature controls",[17,161,162],{},"Active system monitoring",[10,164,165,166],{},"pp. 5-8 - ",[27,167,141],{"href":104,"rel":168},[106],[92,170,172],{"id":171},"_2-galaxy-pro-network-security","2. Galaxy Pro Network Security",[110,174,176],{"id":175},"_2a-secure-architecture","2.A - Secure Architecture",[10,178,179],{},"GalaxyWorks’ Galaxy Pro installations run in separate AWS accounts in dedicated\nVirtual Private Clouds (VPCs). Each installation runs an isolated network.",[110,181,183],{"id":182},"_2b-firewalls","2.B - Firewalls",[10,185,186],{},"All public-facing Galaxy Pro virtual machines instances use inbound Security\nGroup rules configured in deny-all mode. Ports are opened as necessary for:\nGalaxy Pro HTTP/S access and administrative SSH access.",[110,188,190],{"id":189},"_2c-network-access","2.C - Network Access",[10,192,193],{},"Access to Galaxy Pro instances is exclusively using encrypted communication,\nbased on TLS/SSL and SSH. All ingress or egress data is encrypted in transit\nusing those protocols.",[110,195,197],{"id":196},"_2d-port-scanning","2.D - Port Scanning",[10,199,200],{},"AWS monitors and stops unauthorized port scanning.",[110,202,204],{"id":203},"_2e-spoofing-sniffing","2.E - Spoofing & Sniffing",[10,206,207],{},"The AWS network prohibits a host from sending traffic with a source IP or MAC\naddress other than its own. The AWS hypervisor will also not deliver any traffic\nto a host the traffic is not addressed to, meaning even an instance running in\npromiscuous mode will not receive or be able to \"sniff\" traffic intended for\nother hosts.",[10,209,210,211],{},"p. 13 - ",[27,212,141],{"href":104,"rel":213},[106],[110,215,217],{"id":216},"_2f-network-and-host-vulnerability-scanning","2.F - Network and Host Vulnerability Scanning",[10,219,220],{},"GalaxyWorks is responsible for network and host security, and remediates adverse\nfindings without customer intervention, however you may request a scan of your\ndedicated VPC and its hosts as needed for your own security assessments and\naudits.",[92,222,224],{"id":223},"_3-galaxy-pro-platform-security","3. Galaxy Pro Platform Security",[110,226,228],{"id":227},"_3a-configuration-and-change-management","3.A - Configuration and Change Management",[10,230,231],{},"For every Galaxy Pro configuration change, our platform performs a health check\non the container set before promoting it to the current release. If the health\ncheck fails, the container set is not promoted. Either way, the deployments have\nzero-downtime.",[10,233,234],{},"For any deployment, we may roll back to a previous codebase in the event of an\nerror.",[110,236,238],{"id":237},"_3b-isolation","3.B - Isolation",[10,240,241],{},"Dedicated Galaxy Pro instances are deployed on AWS VPC-based dedicated stacks,\nisolated at the customer level. The VPC, network, underlying instances, and AWS\nvirtual infrastructure for your dedicated stack are not shared with any other\ntenant.",[110,243,245],{"id":244},"_3c-logging-and-monitoring","3.C - Logging and Monitoring",[10,247,248],{},"Our Galaxy Pro platform monitors performance indicators such as disk, memory,\ncompute, and automatically resolves them on your behalf.",[110,250,252],{"id":251},"_3d-host-hardening","3.D - Host Hardening",[10,254,255],{},"Galaxy Pro host operating systems are based on an official AWS Ubuntu LTS image.\nFor the operating system:",[61,257,258,261,264,267,270,273],{},[17,259,260],{},"Operating systems are configured only via automated configuration\nmanagement. Services installed can be enumerated upon request.",[17,262,263],{},"Host password logins are disabled. SSH root keys are not permitted.",[17,265,266],{},"No user SSH keys are permitted on hosts by default. Only GalaxyWorks\ninternal workforce user access is configured and it is used only when\nnecessary to provide customer support.",[17,268,269],{},"Swap is disabled to avoid writing in-memory secrets to unencrypted volumes.",[17,271,272],{},"Password-based services (such as PostgreSQL) are provisioned only with\nunique, per-resource, GalaxyWorks-generated passphrases. No default\npasswords are permitted.",[17,274,275],{},"All host ports are opened only via whitelist.",[110,277,279],{"id":278},"_3e-databases","3.E - Databases",[10,281,282],{},"Databases run in the database layer of your instance, accessible only from the\nGalaxy Pro instance. Disk volumes backing databases are encrypted at the\nfilesystem level using AWS-managed encryption.",[110,284,286],{"id":285},"_3f-your-data","3.F - Your Data",[10,288,289],{},"All data you upload or generate as a result of running jobs is stored on a\ndedicated disk attached only to that instance of Galaxy Pro. The disk is\nencrypted at the filesystem level using AWS-managed encryption.",[92,291,293],{"id":292},"_4-galaxyworks-internal-security","4 - GalaxyWorks Internal Security",[10,295,296],{},"We do not access or use Your Content for any purpose other than for developing\nand operating the Services and as required by law. As a routine matter,\nGalaxyWorks workforce members do not require access to data processed by your\nGalaxy Pro instances, such as data stored in your databases or on disk.\nGalaxyWorks workforce members are granted access to customer environments only\nwhen a specific business need arises.",{"title":298,"searchDepth":299,"depth":299,"links":300},"",2,[301,307,315,323],{"id":94,"depth":299,"text":95,"children":302},[303,305,306],{"id":112,"depth":304,"text":116},3,{"id":130,"depth":304,"text":131},{"id":144,"depth":304,"text":145},{"id":171,"depth":299,"text":172,"children":308},[309,310,311,312,313,314],{"id":175,"depth":304,"text":176},{"id":182,"depth":304,"text":183},{"id":189,"depth":304,"text":190},{"id":196,"depth":304,"text":197},{"id":203,"depth":304,"text":204},{"id":216,"depth":304,"text":217},{"id":223,"depth":299,"text":224,"children":316},[317,318,319,320,321,322],{"id":227,"depth":304,"text":228},{"id":237,"depth":304,"text":238},{"id":244,"depth":304,"text":245},{"id":251,"depth":304,"text":252},{"id":278,"depth":304,"text":279},{"id":285,"depth":304,"text":286},{"id":292,"depth":299,"text":293},"Practices and obligations governing use of Services.","md",{"slug":327,"date":328,"kind":329},"/legal/security-policy","2021-03-23","legal",true,{"title":5,"description":324},"legal/security-policy",1770463351750]