GalaxyWorks Legal Portal

Last updated: March, 2021

Security Policy

Practices and obligations governing use of Services.

This policy outlines:

  1. GalaxyWorks's security practices and resources, and
  2. Your security obligations.

Obligations under this policy (both ours and yours) are incorporated by reference into the GalaxyWorks Terms of Service.

Our Obligations

Without limiting any provision of the GalaxyWorks Terms of Service, we will implement reasonable and appropriate measures designed to help you secure Your Content against accidental or unlawful loss, access, or disclosure.

Your Obligations

Our documentation may specify restrictions on how the Services may be configured, or specifications for Galaxy Pro instances such as tools and workflows. You agree to comply with any such restrictions or specifications.

You are responsible for properly using the Services and taking your own steps to maintain appropriate security, protection, and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routinely archiving Your Content. GalaxyWorks provides many built-in controls for you, as discussed herein. You are ultimately responsible for determining whether the security controls applied to your Services and data are sufficient for your requirements.

GalaxyWorks access credentials generated by the Services are for your use only. You may not sell, transfer or sublicense them to any other entity or person.

Requesting Penetration Testing Authorization

You may conduct penetration tests of your Galaxy Pro instance. To do so, please contact us with the following information:

  • Start and end times for the scan window (YYYY-MM-DD HH:SS format)
  • Instance(s) to be tested
  • Source IPs (and owners of those IPs) for the scan
  • Peak bandwidth in Gbps
  • Expected peak requests per second
  • Whether you or the testing company have an NDA in place with Amazon Web Services
  • Name, email, and phone for a point of contact for both you and the testing company

Reporting Security Vulnerabilities

If you discover a potential security vulnerability, please see our policy on Responsible Disclosure. We strongly prefer that you notify us in private. Publicly disclosing a security vulnerability without informing us first puts the community at risk. When you notify us of a potential problem, we will work with you to make sure we understand the scope and cause of the issue. Thank you!

1. Data Center Security

GalaxyWorks runs on the Amazon Web Services (AWS) global infrastructure platform.

AWS publishes an "Overview of Security Processes" whitepaper that serves as the reference material for this section. SOC 2 reports are available directly from AWS upon request.

1.A - Compliance

AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. Additionally AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS against 20+ standards, including the HIPAA, CESG (UK), and Singapore Multi-tier Cloud Security (MTCS) standards.

p. 6 - "Introduction to AWS Security - July 2015"

1.B - Physical Security

AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

p. 5 - "Amazon Web Services: Overview of Security Processes - May 2017"

1.C - Environmental Security

AWS data center environmental controls include:

  • Fire detection and suppression systems
  • Redundant power systems, backed by Uninterruptible Power Supply units and generators
  • Climate and temperature controls
  • Active system monitoring

pp. 5-8 - "Amazon Web Services: Overview of Security Processes - May 2017"

2. Galaxy Pro Network Security

2.A - Secure Architecture

GalaxyWorks’ Galaxy Pro installations run in separate AWS accounts in dedicated Virtual Private Clouds (VPCs). Each installation runs an isolated network.

2.B - Firewalls

All public-facing Galaxy Pro virtual machines instances use inbound Security Group rules configured in deny-all mode. Ports are opened as necessary for: Galaxy Pro HTTP/S access and administrative SSH access.

2.C - Network Access

Access to Galaxy Pro instances is exclusively using encrypted communication, based on TLS/SSL and SSH. All ingress or egress data is encrypted in transit using those protocols.

2.D - Port Scanning

AWS monitors and stops unauthorized port scanning.

2.E - Spoofing & Sniffing

The AWS network prohibits a host from sending traffic with a source IP or MAC address other than its own. The AWS hypervisor will also not deliver any traffic to a host the traffic is not addressed to, meaning even an instance running in promiscuous mode will not receive or be able to "sniff" traffic intended for other hosts.

p. 13 - "Amazon Web Services: Overview of Security Processes - May 2017"

2.F - Network and Host Vulnerability Scanning

GalaxyWorks is responsible for network and host security, and remediates adverse findings without customer intervention, however you may request a scan of your dedicated VPC and its hosts as needed for your own security assessments and audits.

3. Galaxy Pro Platform Security

3.A - Configuration and Change Management

For every Galaxy Pro configuration change, our platform performs a health check on the container set before promoting it to the current release. If the health check fails, the container set is not promoted. Either way, the deployments have zero-downtime.

For any deployment, we may roll back to a previous codebase in the event of an error.

3.B - Isolation

Dedicated Galaxy Pro instances are deployed on AWS VPC-based dedicated stacks, isolated at the customer level. The VPC, network, underlying instances, and AWS virtual infrastructure for your dedicated stack are not shared with any other tenant.

3.C - Logging and Monitoring

Our Galaxy Pro platform monitors performance indicators such as disk, memory, compute, and automatically resolves them on your behalf.

3.D - Host Hardening

Galaxy Pro host operating systems are based on an official AWS Ubuntu LTS image. For the operating system:

  • Operating systems are configured only via automated configuration management. Services installed can be enumerated upon request.
  • Host password logins are disabled. SSH root keys are not permitted.
  • No user SSH keys are permitted on hosts by default. Only GalaxyWorks internal workforce user access is configured and it is used only when necessary to provide customer support.
  • Swap is disabled to avoid writing in-memory secrets to unencrypted volumes.
  • Password-based services (such as PostgreSQL) are provisioned only with unique, per-resource, GalaxyWorks-generated passphrases. No default passwords are permitted.
  • All host ports are opened only via whitelist.

3.E - Databases

Databases run in the database layer of your instance, accessible only from the Galaxy Pro instance. Disk volumes backing databases are encrypted at the filesystem level using AWS-managed encryption.

3.F - Your Data

All data you upload or generate as a result of running jobs is stored on a dedicated disk attached only to that instance of Galaxy Pro. The disk is encrypted at the filesystem level using AWS-managed encryption.

4 - GalaxyWorks Internal Security

We do not access or use Your Content for any purpose other than for developing and operating the Services and as required by law. As a routine matter, GalaxyWorks workforce members do not require access to data processed by your Galaxy Pro instances, such as data stored in your databases or on disk. GalaxyWorks workforce members are granted access to customer environments only when a specific business need arises.