Data Access Policy
User information and the content of Canvases are stored in DynamoDB and S3, encrypted at rest, and transmitted between services over TLS. Only Moment employees with the necessary IAM policy are able to read this data. The policy to read this data is granted only to engineers on a need to know basis.
Moment Customer Information such as Canvases and User Information are stored encrypted in DynamoDB and S3 and processed on servers running on ECS Fargate.
Customer-provided secrets are stored in SSM and processed on servers running on ECS Fargate and transmitted to clients over TLS.
Customer private information such as information fetched from customer internal services is transmitted to Moment over TLS where it is processed by servers running on ECS Fargate and sent to clients again over TLS. While customer information may be unencrypted on Moment servers it is not stored or logged under any circumstances.
SOC 2 (Type 1) and ISO Compliant
User Information Data Flow
Moment takes great care to ensure that the User’s personal information is stored safely and securely with minimal risk of exposure. All User Information is encrypted at rest and in transit and destroyed on request or when the customer’s contract ends. All customer data is only available to employees with the necessary IAM policy that is granted on a need to know basis.
Customer Private Information Data Flow
Moment takes the responsibility for customer data incredibly seriously. Moment’s design puts our customers in charge of their secrets and never exposes internal authorization or authentication information outside of the customer’s network. Customer data is then relayed back to Moment clients over TLS. Customer information is never stored or logged by Moment.
GDPR and CCPA
We are working to ensure that we are fully SOC 2, GDPR, and CCPA compliant.
As a Data Controller handling customer information, Moment collects the name and email address of all customers as part of our authentication process. This data is stored in DynamoDB and S3, encrypted at rest, and is available to all employees with the necessary IAM policy. When a customer ends their contract with Moment this personal information is destroyed.
As a Data Processor handling private information, Moment does not store or log any of the contents of that communication and it is transmitted directly to the Moment client.