AUTUMN SECURITY GUIDE

The security of your data is at the crux of everything we do. We want customers to have a peace of mind, with the assurance that your personal data is in good hands. To this end, we have put in place processes and systems to ensure that your data is safeguarded with best-in-class security standards.

1. Data Security

Encryption of customer data and other critical data with military grade encryption is a key priority, both in-transit and at rest. We use AES 256 for encryption of data at rest and TLS 1.2 for encryption of data in-transit.

If you have an Autumn account, your data is stored on secured cloud servers. Your data is owned by you – we do not share this data with any third-party without your consent.

We store your data only as long as you maintain an Autumn account. Should you choose to delete your Autumn account, your data will be deleted from the active database immediately.

We keep data necessary for audit purposes only, for 5 years as governed by the Singapore regulations.

2. Design Security

Autumn developers comply with coding guidelines based on ISO/IEC 27001 standards and periodically review code changes for potential security issues.

Autumn implements secure coding practices at different levels of the development life cycle.

Autumn has adopted OWASP Application Security Verification Standard (ASVS) Project and OWASP Mobile Application Security Verification Standard (MASVS) which has been widely accepted by the tech community and sets a very high bar for code quality.

3. Identity and Access

Autumn uses Multi-factor Authentication (MFA) to further secure your account. MFA adds an additional layer to the authentication process and makes it very hard for attackers to gain access to your account.

MFA can greatly reduce the risk of unauthorised access even if user password is compromised. You can configure MFA while registering for an Autumn account. Currently, different modes like biometric Touch ID or Face ID, and Time-based OTP are supported.

4. Organisational Security

Autumn employees are held to the strictest standards of integrity. They are also required to undergo training in information security, privacy, and compliance to maintain the highest levels of awareness and adherence to security practices within the company.

Technical access controls are in place to prohibit employees from accessing user data. Principles of least privilege and role-based permissions are implemented to minimise the risk of data exposure.

Furthermore, such access is available only through a separate network with stricter rules and hardened devices.

5. Compliance & Certifications

Autumn’s internal workstations and other infrastructure components follow very strict hardening practices and is compliant to the Centre for Internet Security (CIS) Top 20 Critical Security Controls (CIS20), which is a prioritised set of best practices to safeguard against online threats.

CIS20 was developed by leading security experts from around the world and is refined and validated every year.

Autumn is all set to obtain ISO/IEC 27001 and ISO/IEC 27017 certifications. These internationally accepted security standards cover the systems, applications, people, technology, policies, procedures and data centres serving customers.

6. Infrastructure/Network Security

Autumn’s network security and monitoring techniques are designed to provide multiple layers of protection and defence. Firewalls are used to prevent our network from unauthorised access and undesirable traffic.

All crucial parameters are continuously monitored using our Security Incident Event Management (SIEM) toolset and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.

Distributed Denial-of-Service (DDoS) prevention

A ‘Denial-of-service’ or ‘Distributed Denial-of-service’ attack occurs when bad actors flood networks with unwanted network connections to trigger a crash.

Autumn uses multiple technologies and works with major trusted service providers to identify such connections, circumvent such threats, and provide protection to legitimate users.

This site or product includes IP2Location LITE data available from https://lite.ip2location.com

At Autumn, we work hard to deserve the trust that our customers place on us. We respect your right to privacy and will continue to treat your data with the highest levels of security, as we always have.