Ambassador Security

Security Compliance

Ambassador uses industry standard practices to comply with industry-accepted general security and privacy frameworks, helping our customers meet their compliance standards. Ambassador implements security measures and maintains policies and procedures to comply with required data security standards. We continue to reassess and evaluate our security, and through our continuous improvement program, we are constantly improving our information security.

Standards and Certifications

Ambassador is SOC 2 Type II and PCI certified. As a SaaS company, Ambassador works tirelessly to meet the ideal security standards to protect our customers from security vulnerabilities. Ambassador undergoes routine audits to receive updated SOC 2 Type II reports to maintain our certification.

Vulnerability Management Program

Ambassador takes data security very seriously. In addition to our periodic third-party penetration tests, Ambassador uses a dynamic suite of vulnerability detection and mitigation tools to resolve new vulnerabilities quickly and efficiently.

Penetration Testing Program

Ambassador engages with external market-leading security consulting firms to perform penetration testing annually on our product lines as well as our infrastructure. Our security and development teams work with our penetration testing partner to review all findings and develop a plan to remediate them. We perform follow-up testing to ensure the effectiveness of the remediation activities and offer summary reporting to our clients upon request.

Data Encryption

All communications with Ambassador are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Ambassador is secure during transit. The data is then encrypted at rest in AWS using AES-256 key encryption. Only a select few people have access to the database and the KMS for maintenance purposes and, of course, are bound by extreme legal and security safeguards (such as confidentiality and non-disclosure provisions, permission management, etc.).

Security Monitoring and Accessibility

Ambassador uses multiple monitoring tools over networks, systems, and applications to detect and to block malicious traffic and network attacks and ensure ongoing health and performance, availability, and capacity. Our Security Incident Event Management (SIEM) system gathers extensive logs from essential network devices and host systems. The SIEM alerts on triggers that notify the security team based on correlated events for investigation and response.

Ambassador has two-factor authentication for all customer accounts, and customers that require single sign-on (“SSO”) may do so (additional fees could apply based on the client’s subscription).

SSO packages that Ambassador currently supports include:

Okta
Microsoft 365
Google Workspace

Incident Response

Ambassador employs a comprehensive incident response plan, including a set of response playbooks and defined roles and responsibilities of everyone involved, and incorporates follow-up activities after the incident to ensure we learn from our past.

Security Monitoring and Accessibility img

For security questions, you may contact your customer success manager or email security@getambassador.com

Ambassador’s data centers are hosted with Amazon Web Services data centers in the state of Virginia in the United States. Data backups are also preserved in a US-based distributed database in Google Cloud.

Ambassador uses Amazon Web Services Relational Database Service for backups with multiple availability zones. Each Availability Zone has its own power, cooling, and network connectivity and thus forms an isolated failure domain. Additional backups are made to a Google Cloud environment that distributes multiple copies of data across the US, mitigating the already rare possibility of a complete loss of data in AWS.

Your customer success team can help you obtain access to Ambassador’s online Security and Compliance Kit. There you will be able to access Ambassador’s security resources.

Ambassador does permit certain customers (e.g. Enterprise customers) the ability to perform audits beyond an inspection of the reports, questionnaires, and other artifacts available in the kit.

Yes. Ambassador maintains a comprehensive set of security policies and procedures in accordance with SOC 2 Type II and PCI security frameworks.

Due to the sensitive nature of the material contained in the report, and the copyright requirements of the assessing firm, we can only share our SOC 2 report with eligible customers. An MNDA must be executed before the report can be viewed. For more information, please contact your sales representative or our customer success team.

Yes. Ambassador maintains a Disaster Recovery and Business Continuity plan that supports a robust business continuity strategy for the production services and platforms.

Yes. Ambassador can provide copies of our security policies to customers upon written request. Please note that a mutual non-disclosure agreement must be signed and in place in order to receive requested policies.

Yes. Ambassador can provide copies of our penetration tests and vulnerability scan reports to eligible customers (e.g. Enterprise) upon written request. Please note that a mutual non-disclosure agreement must be signed and in place in order to receive the requested penetration testing report.

Ambassador does permit eligible customers to perform penetration testing on our services. Ambassador operates a comprehensive penetration testing program. Ambassador’s penetration testing executive summary reports are available through your sales representative or the customer success team.

Ambassador provides all clients with access to our support teams, which are available to assist in handling urgent matters.

Ambassador will notify affected customers about a breach of security compromising customers' data. Additionally, customers are able to subscribe to service updates at status.getambassador.com to learn about general service availability, maintenance operations, or general security issues.