We take the security of your data very seriously at Modo. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.
If you have additional questions regarding security, we are happy to answer them. Please write to firstname.lastname@example.org and we will respond as quickly as we can.
We place strict controls over our employees’ access to the data you and your users make available via the Modo services, as more specifically defined in your agreement with Modo covering the use of the Modo services (“Customer Data”). The operation of our services requires that some Modo employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with the Modo services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so.
All of our employees and contract personnel are bound by our policies regarding Customer Data and we treat these issues as matters of the highest importance within our company.
The environment that hosts the Modo services maintains multiple certifications for its data centres, including ISO 27001 compliance, FedRAMP authorisation, PCI certification and SOC reports. For more information about their certification and compliance, please visit the AWS Security website.
We log every time an account signs in, noting the type of device used and the IP address of the connection.
Team Administrators and owners of paid teams can review consolidated access logs for their whole team if requested.
Deletion of customer data
Modo provides the option for any user to delete Customer Data at any time during a subscription term. Within 24 hours of user-initiated deletion, we hard delete all information from currently running production systems (excluding details of the email domain used by the Customer to register the subscription (e.g. '@modo.energy').
Data encryption in transit and at rest
The Modo services support the latest recommended secure cypher suites and protocols to encrypt all traffic in transit. Customer Data is encrypted at rest.
We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility with older clients.
We understand that you rely on the Modo services to work. We’re committed to making Modo a highly available service that you can rely on. Our infrastructure runs on systems that are fault-tolerant for failures of individual servers. Our operations team tests disaster recovery measures regularly and has a team to quickly resolve unexpected incidents.
Customer Data is stored redundantly in multiple locations in our hosting provider’s data centres to ensure availability. We have well-tested backup and restoration procedures which allow recovery from a major disaster. Customer Data and our source code are automatically backed up every night. The operations team is alerted in the event of a failure in this system.
Modo maintains an extensive centralised logging environment in its production environment which contains information pertaining to security, monitoring, availability, access and other metrics about the Modo services. These logs are analysed for security events by the security team.
Incident management & response
In the event of a security breach, we will promptly notify you of any unauthorised access to your Customer Data.
Product security practices
New features, functionality and design changes go through a security review process. In addition, our code is tested and manually peer-reviewed prior to being deployed to production.