Your Data is Safe
‍At Airflux, we place serious attention in securing our infrastructure and adhere to industry security standards to protect your organization's data.

‍Protecting your Privacy and Data
‍Our commitment to keeping your data secure is our number one priority. We continuously invest significant time and resources to monitor and adjust to the latest threats through our robust security frameworks, procedures, and policies. Data in Airflux is protected with multiple layers of protection including access control, data encryption, network infrastructure security, asset security management, cloud product security, physical security, human security, monitoring and reporting protocols. Third-party security assessments are conducted to ensure that our security frameworks, procedures, and policies are maintained at the highest rigour and standards.

‍

Compliance

AB180 Inc. complies with the relevant laws and regulations for the safe provision of Airflux. In addition, we are strengthening information protection capabilities and enhancing service safety by audited the level of information protection management systems every year by world-class international certificate authority.

‍

ISO/IEC 27001,27017, 27018

Airflux is operated by AB180 Inc., whose information security management system (ISMS) has been certified under ISO/IEC 27001, 27017, and 27018 by SGS, a leading global certification body. While these certifications were originally issued for AB180’s Airbridge service, Airflux is developed and operated within the same certified infrastructure and security governance environment.

ISO/IEC 27001 is an international standard for information security management systems established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO 27017 and ISO 27018 are information security and privacy certifications specialized for cloud services based on ISO 27001.

Because Airflux is built and run within AB180’s certified information security management system, the service inherits the same rigorous security and privacy controls, ensuring that all customer data are managed in accordance with these international standards.

Product

• Access Control:
  Airflux provides role-based organization roles through Airbridge Dashboard. For Security Reason, Each game is assigned Owner account. Once that account is registered in the Airbridge Console, it can view SDK details and submit configuration changes. Performance metrics are delivered separately by email: the studio designates a report-only mailing list, which AB180 keeps up to date on request, and these messages contain only aggregated data — never player-level identifiers.
• Protecting Passwords and Sensitive Data:
  Sensitive data including users' passwords are encrypted then stored safely. In particular, passwords are encrypted using PBKDF2(Password-Based Key Derivation Function 2) then stored.
• Opt-Out on Sending Privacy Data:
  For complying the <Privacy Act> of the Republic of Korea and the <General Data Protection Regulation (GDPR)> of the EU, You can use 'Opt-Out' feature for restrict sending the privacy data.

Infrastructure & Network

1. Infrastructure on AWS
   ‍1) All Airflux services run in the cloud. Airflux does not run our own routers, load balancers, DNS servers, or physical servers.2) We are using Amazon Web Services(AWS) Cloud and all infrastructure is located in AWS Tokyo region. As part of AWS's privacy policy, the location of the data center is not disclosed. Therefore, all Airflux infrastructure operates on the basis of AWS' physical and environmental security policies. For more information, see the Security Policy page at on AWS.3) Airflux operates on at least two Availability Zones for Business Continuity and Disaster Recovery.4) Airflux complies with AWS Shared Responsibility Model and Security Best Practices as best as possible.5) For more information on AWS's compliance programs, please see here‍
2. Regular Vulnerability Inspection & Patch
   ‍1) Using AWS Inspector, we regularly inspect for known security vulnerabilities in all instances' OS level and application level.2) Softwares and Libraries with security vulnerabilities are patched to the latest version in a way that is compatible with the existing systems.3) All server instances operate based on standard OS images with system hardening, including default security settings.
3. VPC & Security Group
   ‍All servers are separated from external networks and operate in AWS's VPC(Virtual Private Cloud). We prevent unauthorized external access using multiple systems, including Security Group.
4. Real-time Network Monitoring with Intelligent Threat Detection System
   ‍Using AWS GuardDuty, an Intelligent Threat Detection System, we monitor Network Flow Logs, DNS Logs, AWS Console Access & API call Logs real-time.

Data Storage, Transfer, Permissions & Access Control

1. Encrypted Storage on Cloud
   ‍All user data is stored in AWS Infrastructure located in Tokyo Region. Sensitive data is encrypted using AWS SSE-S3(AES-256) and stored, and data decryption and access log are recorded and audited.
2. Encrypted Transit
   ‍All data communications are encrypted using TLS 1.2 or higher protocol.
3. Regular Back-up
   ‍We regularly back-up data to prevent data loss.
4. Access Control
   ‍All employees can only access data for appropriate business purposes after the CISO's approval and must receive education in handling sensitive data. Existing access permission is assessed to check if appropriate for the job and managed periodically.

Application & Development

1. **Complying S-SDLC(Secure Software Development Life Cycle)**We comply with S-SDLC(Secure Software Development Life Cycle) in every stages of planning, development, testing, deployment and operation to guarantee security, stability, and reliability.
2. Automated Testing and Deployment
   ‍All applications can only be deployed on Production Stage after automated testing. Therefore, if a single test fails, the new feature is not deployed. This process guarantees fast feature development and product stability.

Application Monitoring, Business Continuity & Disaster Recovery

• Real-time Monitoring about System Status:
  We monitor all systems and components of all data pipelines in the infrastructure 24/7/365 to minimize damage in failures and breaches, and to recover them as soon as possible. In particular, we manage failures by tickets using third-party tools like PagerDuty so that engineers can quickly resolve the issue.
• Monitoring for Sensitive Data:
  Access, modifications and downloads are all recorded and audited regularly.
• Risk Assessment:
  Regularly assess technical & non-technical risks depending on frequency, effect of risk and the importance of asset to progressively remove risk according to DoA(Degree of Acceptance).
• Building DR(Disaster Recovery) Scenario:
  We build Disaster Recovery scenarios and regularly train related employees.

Security Audits

• Internal Audit:
  Under the CISO's lead, we conduct internal audits of technical and non-technical data protection logs daily, weekly, monthly, quarterly, semiannually or annually, depending on the task.
• Third-Party Audit:
  If a third-party is in charge of development, infrastructure maintenance, or personal information processing, we thoroughly audit to check if the privacy and personal data protection procedure standards are met.
• Regular Pen-Test:
  We conduct product pen-test in accordance to SDLC and regular internal pen-tests. We also pen-test the entire system once a year with a trusted third-party security company.

Physical & HR

• Education and Training:
  The information protection committee checks every month if the policies are complied.
• Security Policies:
  All information security compliance is defined and published in internal policies, guidelines, and procedures documents. Policies documents are managed by the information protection committee composed of in house C-Levels including the CEO, and the information protection committee checks every month if the policies are complied.
• Information Protection Pledges:
  All employees and outsourced employees must prepare information protection pledges when they sign an employment or service contract, to define their responsibility for information protection according to their work.
• SSO & 2FA:
  External solutions used by executives and employees (e.g. GSuite, GitHub, AWS) must activate SSO and 2FA to prevent accidental hacking incidents.
• DLP & Anti-virus:
  All business PCs are protected from MalWare with a centrally managed Anti-Virus solution, and Data Loss Prevention (DLP) solutions help prevent data leakage.

Customer Responsibilities

1. Do not leak Airflux log-in information and token values. If you think the data has been leaked, please let the AB180 Security & Privacy team know immediately.
2. Please make sure to log-out after using our service in public PC.
3. Do not share one log-in account with others. If multiple users need to access the Airflux Dashboard, please do so with feature.
4. Please regularly audit Airflux Dashboard's Activity History to prevent and monitor accidents. If you find an unintended action, please let the AB180 Security & Privacy team know immediately.
5. Please comply the data protection laws to legally consign and store user data in Airflux. In particular, if you are providing service in Korea, you must get agreement about 'Personal Information Processing Consignment' and 'Personal Information Transfer' according to the Privacy Act. Also if you are providing service in EU area or to EU citizen, you can not send the privacy data to Airflux without certain agreement from the user. If you do not have agreement, you must use the Opt-Out feature on Airflux SDK.
6. Do not send the privacy data of children under 14 years old using the SDK's Opt-Out feature.
7. Do not perform Airflux System pen testing, security vulnerability check, and etc. without the approval of AB180 Security & Privacy Team.