Enterprise-Grade Security

Production companies across the globe trust Chedar to manage their team's most important projects and collaborate in the cloud.

Introduction

Chedar is the leading collaborative film budgeting platform helping Producers around the globe align work with the most important business objectives, create new efficiencies, and drive results.

We are dedicated to making Chedar the most secure and reliable collaborative platform on the market. We are committed to protecting your personal and company data, and ensuring secure collaboration within our platform, which is why we continue to invest in the security of our services to not only meet, but exceed industry standards.

Security has always been a top priority and we have relentlessly pursued a robust and mature security strategy since the day the company was founded. Below is an overview of Chedar’s security strategy, which includes a comprehensive approach across four key categories: Infrastructure, Application, privacy and people..

preamble

Chedar is hosted on Amazon's AWS using Amplify, the control center for fullstack web and mobile application deployments in AWS. We use the following services:

  • Cognito for user authentication
  • AppSync for GraphQL API
  • and DynamoDB for the database management

Infrastructure security

Chedar is protected by the AWS global network security procedures that are described in the Amazon Web Services: Overview of Security Processes whitepaper.

We use AWS published API calls to access Amplify through the network. We support Transport Layer Security (TLS). We also support cipher suites with perfect forward secrecy (PFS).

Additionally, requests are signed by using an access key ID and a secret access key that is associated with an IAM principal.

Uptime Over 99.9%

Over years of continuous service, Chedar has consistently met or exceeded a 99.9% uptime, ensuring customers can access their tasks and projects when needed without interruption. If Chedar is temporarily unavailable due to technical reasons or scheduled maintenance, you can log in to the standalone, Offline Chedar

Continuous data backups

Continuous backup is provided by DynamoDB for the past 35 days. On top of that, we provide monthly backups for all of our DynamoDB tables.

Application security

User authentication

Cognito

Data Protection in Chedar's Authentication:

The AWS shared responsibility model applies to data protection in Chedar's Authentication. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. We are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that we use.

For data protection purposes, we protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM). That way each user is given only the permissions necessary to fulfill their job duties. We also secure our data in the following ways:

  • We use multi-factor authentication (MFA) with each account.
  • We use SSL/TLS to communicate with AWS resources.
  • We set up API and user activity logging with AWS CloudTrail.
  • We use AWS encryption solutions, along with all default security controls within AWS services.
  • We use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

Database Data encryption

All user data stored in Chedar Database is fully encrypted at rest. Chedar DB encryption at rest provides enhanced security by encrypting all your data at rest using encryption keys stored in AWS Key Management Service (AWS KMS). This functionality helps reduce the operational burden and complexity involved in protecting sensitive data.

Chedar DB encryption at rest provides an additional layer of data protection by securing your data in an encrypted table - including its primary key, local and global secondary indexes, streams, global tables, backups, and DynamoDB Accelerator (DAX) clusters whenever the data is stored in durable media. Organizational policies, industry or government regulations, and compliance requirements often require the use of encryption at rest to increase the data security of your applications.

Encryption at rest integrates with AWS KMS for managing the encryption key that is used to encrypt your tables. For more information, see AWS Key Management Service Concepts in the *AWS Key Management Service Developer Guide*.

When creating a new table, our Database table gets encrypted using an AWS owned key – Default encryption type. The key is owned by DynamoDB.

When we access an encrypted table, DynamoDB decrypts the table data transparently.

Encryption at rest

Encryption at rest refers to protecting our data from unauthorized access by encrypting data while stored. We encrypts an app's build artifacts by default using AWS KMS keys for Amazon S3 that are managed by the AWS Key Management Service.

We uses Amazon CloudFront to serve our app to our customers. CloudFront uses SSDs which are encrypted for edge location points of presence (POPs), and encrypted EBS volumes for Regional Edge Caches (RECs). Function code and configuration in CloudFront Functions is always stored in an encrypted format on the encrypted SSDs on the edge location POPs, and in other storage locations used by CloudFront.

Encryption in transit

Encryption in transit refers to protecting our data from being intercepted while it moves between communication endpoints. We provides encryption for data in-transit by default. All communication between customers and our database and between our database and its downstream dependencies is protected using TLS connections that are signed using the Signature Version 4 signing process. All Console endpoints use SHA-256 certificates that are managed by AWS Certificate Manager Private Certificate Authority. For more information, see Signature Version 4 signing process and What is ACM PCA.

Privacy

Compliance Validation for Chedar

People

Processes

Designing and running datacenter infrastructure requires not only technology, but also a disciplined approach to processes. This includes policies about escalation, management, knowledge sharing, risk management, and day-to-day operations. Chedar’s security and operations teams have years of experience designing and operating data in the cloud, and we continually improve our processes over time. Chedar has also developed best-in-class practices for managing security and data protection risk. All of these elements are essential parts of Chedar’s security culture.

Need-to-Know and Least Privilege

Only a limited set of employees have access to our production environment and the data stored in our databases. There are strict security policies for employee access, all security events are logged and monitored, and our authentication methods and data are strictly regulated. We follow code best practices and established standards with regards to establishing and running cloud architecture.

We limit access to customer data to employees with a job-related need, and require all these staff members to sign a confidentiality agreement. Accessing customer data is only done on an as-needed basis, and only when approved by the customer (i.e. as part of a support incident) via a written request, or under authorization from senior management and security for the purposes of providing support, maintenance, or improving service quality.