Security

Introduction

Understanding security concerns and demanding regulations, we at Pecan are committed to keeping your information secure, private and encrypted at all times. We employ a set of active and passive security measures ranging from rigid internal compartmentalization to advanced endpoint and network protection mechanisms. Pecan has deployed throughout its infrastructure enterprise-class security tools and abides by strict regulations for securing data at rest and at transit, in both development and production environments. Finally, to ensure you are always in command of your data and environment, Pecan provides granular access-control management and detailed monitoring logs.

Summary

Internal policies and best practices

Pecan employs a zero tolerance policy towards data security from both cryptographic and physical access aspects. Our holistic security approach means your organization remains compliant with demanding regulations, and your data is safe from both malicious and accidental breaches.

Apart from tightly centrally managed computing systems, antiviruses, firewalls and intrusion prevention systems, Pecan is also committed to engineering excellence with a specific focus on security. To that end, we follow OWASP Secure Software Development Life Cycle Project (S-SDLC) best practices, and perform routing penetration tests prior to every release. To confirm the effectiveness of our security strategy, Pecan also employs 3rd party agencies for periodic penetration tests on top of internal tests, rules, tools and regulations.

Reputable Providers

Pecan’s product is rolled out on platforms belonging to reputable leading service providers and vendors that uphold the highest security standards, specifically: Amazon Web Service (AWS) and Cloudflare. In addition, Pecan can be self-hosted in a Virtual Private Cloud to ensure data never leaves your managed environments. In most cases, Pecan’s hosted product is used for the creation of the Predictive Data Model alone, after which any residual data is destroyed.

Infrastructure and Implementation Options

Pecan’s operation is separated into two phases: the Training Phase - when the Predictive Data Model is produced, and the Prediction Phase - when the Predictive Data Model is deployed as a self-contained web service. During the Training phase, Pecan can be deployed in two modes:

  1. Software as a Service (SaaS) compartmentalized per client on Pecan’s AWS, where storage space is allocated per client and kept completely segregated.
  2. Self Hosted in a Virtual Private Cloud (VPC) on AWS, Google or Microsoft Azure running off a pre-packaged Virtual Machine (VM), with absolutely no data leaving your company.

Once the Training Phase is over and the data model, DNNs and other functional items have been constructed, Pecan allows you to attain predictions in two ways:

  1. Fixed: Deploy the resulting model on-prem through a fully dockerized platform, avoiding data exposure and destroying any data that was previously stored for the training phase.
  2. Dynamic: Continue to run the model on Pecan’s infrastructure allowing for continuous synchronization and training for exceedingly accurate predictions and zero-footprint in your datacenter.

Access Control and Authentication

Pecan has three built-in user roles: Super Admin, Administrator and Viewer.

  • Super Admin: an account with unrestricted access, used only by Pecan’s Customer Success managers and engineers. This account can access all the data and Prediction Tasks, add users and revoke access rights, demote and promote users, and close an account.
  • Administrators: accounts given to clients for users who are allowed to view, create, delete and run Prediction Tasks, as well as connect or remove data sources, edit data connections, and export trained models for deployment, export tables for use in third-party data visualization and exploration tools, etc. Administrators can also add new users, and grant them access rights, and granularity control what they are allowed to do with respect to existing Prediction Tasks.
  • Viewers: accounts given to clients for users who have no editing rights at all, and can only access the results and properties of given Prediction Tasks.

In order to authenticate users, Pecan uses a signed and encrypted access token obtained after entering an 8 characters long password (or more), consisting of at least one number and one symbol. If required for regulatory compliance, Pecan also has an optional 2FA mechanism utilizing a code sent to a user’s mobile phone. Pecan’s password policies can also enforce periodic password changes. User access is revoked after 10 failed sign-in attempts, which can be restored only by another Administrator or Super Admin.

Cryptography and Encryption

For its Production environment, Pecan utilizes Amazon S3 Server Side Encryption (S3-SSE) for all files stored on AWS, and encrypts all of its databases with Transparent Data Encryption (TDE). For obtaining data, customers can simply provide Pecan with exported data in CSV or JSON format into an S3 bucket, or alternatively use Pecan’s Data-Gateway for direct access to schemas through a secure SSH tunnel. Using this method, users can select which data fields to import, allowing them to exclude any sensitive information.

Internally, all of Pecan’s development storage and compute servers are encrypted, and communication in and out of Pecan’s network is handled through a secure 2FA-enabled VPN. Pecan’s network is protected by an active firewall with additional endpoint protection solutions employed. Pecan does not have, nor allows the use of private computers and laptops for any employee directly handling R&D and customer support.

Data Storage and Access

When using Pecan’s SaaS hosting model, none of the data (raw or otherwise) provided by the client is copied, transmitted or used for any purpose other than completing data model creation tasks (Prediction Tasks). Once a Prediction Task is deleted (e.g. after a model was created and exported), all the data used in the task is destroyed. Furthermore, during data retrieval, the customer can choose the specific fields and entities which will be imported into Pecan for the Training phase. Any data not specifically selected to be part of a given task is not imported by Pecan and will not leave your datacenter.

Being a 100% cloud solution, Pecan does not store any information on client PCs used to access and use our systems other than simple logs and cookies, none of whom contain any data received into or outputted from Prediction Tasks. Any information presented during a session is stored within the browser’s volatile protected memory and is destroyed at the end of a session by the browser.

While the data is present in our environment, the only people other than registered users who have access to it are key IT, DBA and DevOps personnel within Pecan, and the Customer Success manager - all of which are granted access on a need to know only basis.

Logs and Monitoring

For war-rooms and forensics, Pecan has a 24/7 monitoring system covering its entire production environment, logging any sign-in attempt and its originating IP, as well as detailed logs of any data connection opened by Pecan’s Data-Gateway, its duration and the task it was used for, and any data transaction and operation executed by system.

Try Pecan with your team for free

Let's start