Table of Contents
- 1. ACCESS CONTROLS
- 2. OPERATIONS MANAGEMENT AND NETWORK SECURITY
- 3. CHANGE MANAGEMENT
- 4. DATA ENCRYPTION AND DELETION
- 5. SUB-PROCESSORS
- 6. SYSTEM MONITORING AND VULNERABILITY MANAGEMENT
- 7. PERSONNEL CONTROLS
- 8. BACKUPS, BUSINESS CONTINUITY, AND DISASTER RECOVERY
- 9. CERTIFICATION AUDIT REVIEW
- 10. MODIFICATIONS
Information Security Standards
Last Updated: March 26, 2024
These Information Security Standards (“Information Security Standards”) describe the technical and organizational measures implemented by Airtable to ensure an appropriate level of security for its Services. The Information Security Standards are incorporated into and form a part of the agreement between the organization agreeing to them (“Customer”) and Formagrid Inc, dba Airtable (“Airtable”) (Customer and Airtable each, a “party” and collectively, the “parties”) governing the use of Airtable’s products and services (the “Service Terms”) as set forth in one or more order forms, online purchase confirmations, or other ordering documents entered into by the parties (each, an “Order Form”). Notwithstanding anything to the contrary, these Information Security Standards shall take effect only if and when they are explicitly incorporated by reference into the Service Terms or an Order Form duly executed by the parties. In the event that the requirement in the preceding sentence is not met, then the terms and conditions set forth in these Information Security Standards shall not apply and shall not have binding effect on the parties. Any capitalized term used but not defined in these Information Security Standards has the meaning set forth (for such capitalized term or its substantive equivalent) in the Service Terms. In the event of a conflict between these Information Security Standards and the Service Terms, these Information Security Standards will apply.
1. ACCESS CONTROLS
1.1. Control Measures
Airtable has implemented reasonable system access controls and physical access controls designed to limit access based on authorization and prevent personnel and others who should not have access from obtaining access to Airtable systems housing Customer Data.
1.2. System Access Controls
Airtable's system access control measures include the following:
restricting unauthorized users from accessing information not needed for their roles through role-based user access, and using "least privileged" principles;
unique user accounts identifiable to individual users, password requirements, and two-factor authentication;
provisioning and removal of employee access to Customer Data when access is no longer required; and
periodic access reviews to ensure that only Airtable personnel who still require access to Customer Data have such access.
1.3. Physical Access Controls
Airtable utilizes cloud hosting infrastructure (currently provided by Amazon Web Services) for the Services. All physical security controls are managed by the cloud hosting provider. Annually, Airtable reviews the applicable security and compliance reports of its cloud hosting provider to ensure appropriate physical security controls, which include:
use of data centers with physical and environmental controls appropriate to the risk for Customer Data and for the equipment, assets, or facilities used to hold and process such Customer Data (e.g., use of key card access controls and security guard monitoring); and
use of data centers with 24/7 security protection, automatic fire detection and suppression, fully redundant power systems, and other reasonable environmental controls.
2. OPERATIONS MANAGEMENT AND NETWORK SECURITY
Airtable establishes and maintains reasonable operations management and network security measures, including:
network segmentation based on the label or classification level of the information stored;
protection of servers and web applications using restrictive firewalls; and
regular review, testing, and installation of security updates and patches to servers.
3. CHANGE MANAGEMENT
3.1. Change and Release Management
Airtable maintains a formal change and release management policy and procedure for software, system, and configuration changes. Such policies and procedures include:
a process for testing and approving promotion of changes into production; and
a process for performing security assessments of changes into production.
3.2. Secure Application Development
Airtable follows secure application development policies, procedures, and standards that are aligned to industry-standard practices, such as the OWASP Top 10.
3.3. Development Training
Airtable provides secure code development training based on role for secure application development, configuration, testing, and deployment.
4. DATA ENCRYPTION AND DELETION
Airtable establishes and maintains reasonable data encryption and deletion practices, including:
encryption of Customer Data while at rest using industry best practice encryption standards and methods;
encryption of Customer Data while in transit using industry standard encryption methods designed to encrypt communications between its server(s) and customer browser(s);
use of cryptographic controls and approved algorithms for information protection within the service environment based on Airtable’s company policies and standards;
encryption of employee workstations with full disk encryption, strong passwords, and screen lockout; and
maintenance of policies and procedures regarding the deletion of Customer Data in accordance with applicable laws and NIST guidance (Customer Data is deleted upon customer request and removed off Airtable's cloud hosting provider servers).
5. SUB-PROCESSORS
Airtable uses certain sub-processors to assist Airtable in providing the Services. Prior to engaging any sub-processor who has access to, potentially will have access to, or processes Customer Data, Airtable conducts an assessment of the security and privacy practices of the sub-processor to ensure they are commensurate with the level of data access the sub-processor will have and the scope of the services it will provide. Airtable then enters into a written agreement with the sub-processor containing privacy, data protection, and data security obligations that ensure a level of protection appropriate to the sub-processor’s processing activities. Airtable performs annual reviews of its sub-processors to ensure that compliance and security standards are maintained and material changes to processes are reviewed.
6. SYSTEM MONITORING AND VULNERABILITY MANAGEMENT
Airtable regularly monitors its production environment for unauthorized intrusions, vulnerabilities, and the like. Airtable's system monitoring measures include the following:
use of intrusion detection methods to prevent and identify potential security attacks from users outside the boundaries of the system;
performance of automated application and infrastructure vulnerability scans to identify vulnerabilities, classification of vulnerabilities using industry standards, and remediation of vulnerabilities based on severity level;
annual third-party penetration testing (an executive summary can be provided upon request);
annual risk assessments and continuous monitoring of Airtable’s risk register;
periodic third-party security audits, such as SOC 2 Type 2 and ISO27001 audits;
monitoring, logging, and reporting on critical or suspicious activities with regard to network devices, including retention of logs for forensic-related analysis, maintenance of audit logs that record and examine activity within Airtable’s production environment, back-up of logs in real-time, and implementation of controls to prevent modification or tampering of logs;
operation of a “bug bounty” program to identify potential security vulnerabilities; and
deployment of anti-virus and malware tools to detect and remediate harmful code or programs that can negatively impact the Services.
7. PERSONNEL CONTROLS
Airtable uses reasonable efforts to ensure the continued reliability of Airtable employees who have access to Customer Data by implementing the following measures:
conducting background checks, subject to applicable laws, on all employees who may access Customer Data;
requiring employees to complete new-hire security training and acknowledge Airtable’s information security policies, including but not limited to Airtable’s Code of Conduct and Acceptable Use of Technology Resources Policy, upon hire;
requiring employees to complete annual privacy and security training covering topics that address their obligations to protect Customer Data as well as privacy and security best practices;
instructing employees to report potential personal data breaches to the Security team; and
imposing discipline for material violations of Airtable's information security policies.
8. BACKUPS, BUSINESS CONTINUITY, AND DISASTER RECOVERY
8.1. Backups
Airtable maintains a policy and procedure for performing backups of Customer Data.
8.2. Business Continuity Program
Airtable maintains a reasonable business continuity program, including a disaster recovery plan, designed to minimize disruption to the Services. The plans are tested annually and the process is amended, as needed.
9. CERTIFICATION AUDIT REVIEW
Upon Customer’s written request (email to suffice), Airtable will provide to Customer for review a copy of Airtable’s most recent annual SOC II Type II audit results, and a copy of its then-current ISO 27001 certificate.
10. MODIFICATIONS
Notwithstanding anything to the contrary in the Service Terms, Airtable may modify or update these Information Security Standards from time to time, and so Customer should review this page periodically. In such cases, Airtable will update the ‘Last Updated’ date at the top of this page. If the changes would materially reduce the level of security provided under these Information Security Standards, Airtable will provide Customer with email notice of the changes at least thirty (30) days before they go into effect. Customer's continued use of the Services after any change to these Information Security Standards becomes effective constitutes Customer's acceptance of the new Information Security Standards. If Customer does not agree to any part of these Information Security Standards or any future Information Security Standards, Customer should not use or access (or continue to use or access) the Services.