Security Policies

Combinate Security Overview

Customer data is one of the most valuable assets a company has. That’s why our top priority is delivering a high-performance solution with a focus on keeping our customers’ data safe and their interactions secure. Cloud-based software is all about providing uninterrupted, reliable service, making information security a major focus for first-rate cloud vendors.

Security Benefits

Combinate customers get the benefit of a comprehensive, high-performance solution — all while keeping their data safe, their interactions secure, and their businesses protected. Below we outline how we achieve our high levels of performance, availability, and security.


  • A dedicated, deeply experienced architecture team.
  • 24x7x365 systems server monitoring.
  • Code assessment and analysis through technical review processes.
  • Employee programs and training to reinforce security awareness and communication.


  • A secure, multi-tenant network architecture.
  • Active performance and availability monitoring of all data centers 24x7x365.
  • Cloud backups.
  • DDOS mitigation technologies.
  • SOC 2 Type II, SOC 3 and ISO27001 compliant data centers.

Physical Security

  • Combinate servers are hosted at SOC 2 Type II, SOC 3, and ISO27001 compliant facilities.
  • Facilities features 24-hour manned security, biometric access control, video surveillance, and physical locks. The co-location facilities are powered by redundant power, each with UPS and backup generators. All systems, networked devices, and circuits are constantly monitored.
  • Access is limited to a small group of data center employees who have a need to know.

Product Security Features

  • One-way hash encrypted passwords using modern standard hashing algorithms. Passwords are NEVER stored in plain-text.
  • Audit logging and event alerting.
  • Regular updates are rolled out to all customers ensuring everyone has the latest application and security innovation. Proper testing, deployment, and product update protocols are followed to ensure the stability, quality, and security of releases.
  • Product endpoints and pages are secure by default and audited to prevent unauthorised access to customer information. Appropriate authentication and authorisation solutions ensure the security of the data on the application side of things.
  • Customer databases are secured with appropriate network controls and policies.
  • Implementation solutions are reviewed depending on any additional customer compliance requirements (i.e. PCI Compliance, HIPAA Compliance). Integrated services are also assessed accordingly for customer compliance requirements.

Database Security

  • Compliant with SSAE16, SOC1, ISAE 3402, ISO 27001, CSA, and other relevant global standards and policies.
  • 24/7 physical security of data centers and network operations center monitoring.
  • Authorisation: Grant read, write, admin permissions to specific databases, JSON documents, and JSON fields.
  • Credit card details are NEVER stored in databases, logs, and memory of our systems. Token representations may be stored internally through the use of 3rd-party PCI Compliance services (i.e. Stripe).
  • Data integrity of customer data is ensured through proper implementation and migration solutions along with rigorous testing of product features.

Transmission Security

  • By default, ALL communications with Combinate servers are secured by default using industry standard SSL.This ensures that all traffic between you and Combinate systems are secure during transit.
  • Additionally for email, our product makes use of Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Access Control

  • All access to data within Combinate servers and resources is governed by appropriate access rights.
  • Every user who attempts to access your instance is authenticated and authorised using the appropriate credentials (i.e. username, password).
  • The principle of least privilege is enforced at all times using appropriate security measures to only provide the level of access needed to perform a job.
  • Secure sign in with 2FA (two-factor authentication) is used whenever available.

Application Security

  • All endpoints and pages should be secured with the appropriate security mechanisms (e.g., secure zones, token authentication systems) whenever possible
  • Credentials and keys should not be hardcoded and included in the application codebase
  • Credentials and keys should not be included and must be completely removed from the repository history