Security Policy
Updated June 27, 2026
General
Skedulo and its third-party providers have implemented extensive security measures to help protect against the risk of loss, misuse, and alteration of information under Skedulo's control, including encryption, least-privilege access for personnel, and industry-standard controls such as firewalls and segmented, secured environments for personally identifiable information.
Skedulo manages information security consistent with ISO/IEC 27001:2022, SOC 2 Type II, the NIST Cybersecurity Framework (CSF) 2.0, and applicable legal and regulatory requirements such as HIPAA and GDPR. Skedulo's current SOC 2 Type II report and HIPAA/HITECH validated assessment report are available under NDA to customers and prospective customers on request.
HIPAA
Skedulo is a business associate under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). Skedulo runs a formal privacy and security management program that includes technical, physical, and administrative safeguards to protect the privacy, confidentiality, integrity, and availability of customer data, including HIPAA protected health information, such as:
- Encryption of data in transit and at rest
- Restriction of customer data to a need-to-know basis within Skedulo, and regular access control reviews
- Required privacy and security training for all Skedulo workforce members
- Formal risk management, including regular reviews of Skedulo's risk and security posture
- A secure software development lifecycle
- Regular, encrypted backups (and secure disposal of data)
- Designated incident response and business continuity teams, with regular training and testing of response plans
Reporting Security Vulnerabilities
If you discover a potential security vulnerability, we strongly prefer that you notify us in private at security@skedulo.com. Publicly disclosing a security vulnerability without informing us first puts the community at risk. When you notify us of a potential problem, we will work with you to understand the scope and cause of the issue. Thank you.
1. Data Center Security
Skedulo's production Services run on the Amazon Web Services (AWS) global infrastructure platform. Under the AWS Shared Responsibility Model, AWS is responsible for the security “of” the cloud (the physical infrastructure, facilities, hardware, and host virtualization), and Skedulo is responsible for security “in” the cloud (our operating systems, applications, configuration, identity and access management, and customer data, including encryption). Reference: AWS Shared Responsibility Model (https://aws.amazon.com/compliance/shared-responsibility-model/).
1.A. Compliance
AWS data centers and infrastructure are independently audited and hold certifications across multiple geographies and verticals, including ISO/IEC 27001, SOC 1/2/3, PCI DSS, and FedRAMP, and support customers' HIPAA and GDPR obligations. AWS third-party audit reports (including SOC 2) are available directly from AWS under NDA via AWS Artifact. Reference: AWS Compliance Programs (https://aws.amazon.com/compliance/programs/).
1.B. Physical Security
Physical access to AWS data centers is strictly controlled at building ingress points by professional security staff using surveillance and intrusion-detection systems. Authorized staff must use multi-factor authentication to access data center floors, and access is granted on a least-privilege, time-bound basis and revoked when no longer required. All visitors are required to present identification, are signed in, and are continually escorted. Reference: AWS Data Center Controls (https://aws.amazon.com/trust-center/data-center/our-controls/).
1.C. Environmental Security
AWS data center environmental controls include automatic fire detection and suppression systems; redundant, fully maintainable power systems with uninterruptible power supplies and backup generators; climate and temperature controls; water-leak detection; and continuous monitoring of electrical and mechanical systems. Reference: AWS Data Center Controls (https://aws.amazon.com/trust-center/data-center/our-controls/).
1.D. Media Destruction
When a storage device that has held customer data reaches the end of its useful life, AWS decommissions it using techniques described in NIST SP 800-88, and media is not removed from AWS control until securely decommissioned.
2. Skedulo Network Security
2.A. Secure Architecture
The Skedulo stack runs in separate AWS Virtual Private Clouds. Most services run in private subnets. Only SSL/TLS endpoints and a bastion host are exposed to the Internet. Backend users connect to the stack through the bastion host, which restricts access to stack components and logs activity for review. Our production and test environments run in separate, unconnected AWS accounts.
2.B. Firewalls
All public-facing compute instances use inbound security group rules configured in deny-all mode, with ports opened only as necessary for administrative access. Public-facing Skedulo endpoints (which include an AWS load balancer) listen only on the specific ports required for functionality (e.g., 443 for an HTTPS endpoint).
2.C. DDoS Protection and Mitigation
Skedulo's VPC-based approach means that most stack components are not accessible from the Internet and cannot be targeted directly by a DDoS attack. Skedulo's public SSL/TLS endpoints sit behind an AWS Elastic Load Balancer, which accepts only valid TCP requests, so attacks such as UDP and SYN floods do not reach the application layer.
2.D. Port Scanning
AWS monitors and stops unauthorized port scanning. Because most of a Skedulo stack is private and all hosts run strict firewalls, port scanning is generally ineffective.
2.E. Spoofing & Sniffing
The AWS network prohibits a host from sending traffic with a source IP or MAC address other than its own, and the AWS hypervisor will not deliver traffic to a host that the traffic is not addressed to, so an instance cannot “sniff” traffic intended for other hosts.
2.F. Network and Host Vulnerability Scanning
Skedulo scans both the Internet-facing and private networks of a master reference stack on a regular, scheduled basis. Skedulo is responsible for network and host security and remediates adverse findings without customer intervention.
3. Skedulo Platform Security
3.A. Configuration and Change Management
For app services with an SSL/TLS endpoint, Skedulo performs a health check on the container set before promoting it to the current release. If the health check fails, the container set is not promoted. Either way, deploys are zero-downtime.
3.B. Logging and Monitoring
Skedulo logs application and API activity in a HIPAA-compliant manner. Skedulo monitors performance indicators such as disk, memory, compute, and logging issues, and resolves them automatically where possible.
3.C. Host Hardening
Skedulo host operating systems are hardened based on the Center for Internet Security (CIS) Benchmark for the operating system and version in use. For all operating systems: operating systems are installed only from bare images via automated configuration management; host password logins are disabled and SSH root keys are not permitted; no password-based services are installed automatically, and any password-based services (such as PostgreSQL) are provisioned only with unique, Skedulo-generated passphrases (no default passwords); host security updates are automated; and host ports are opened only via allowlist.
3.D. Databases
Databases run in the database layer of our stack, on a private subnet accessible only from the application or bastion layer. SSL/TLS is required where the database protocol supports it. Disk volumes backing databases are encrypted at rest using AES-256 encryption.
4. Skedulo Business Continuity
4.A. Backups
Skedulo automatically backs up customer data and configuration data. Customer database backups are produced through automated Amazon RDS snapshots and daily encrypted off-site logical backups, and are encrypted at rest. Backups are replicated to a separate AWS Region within the same country to support disaster recovery while maintaining data residency, and are retained in accordance with Skedulo's documented backup retention schedule. No customer action is required.
4.B. Fault Tolerance
AWS Regions are subdivided into Availability Zones, each engineered as an independent failure zone: physically separated, located in lower-risk locations, and equipped with independent power and redundant network connectivity. Skedulo architects critical services to run across multiple Availability Zones.
4.C. High Availability
High availability is supported by Skedulo's microservices architecture, which runs multiple instances of critical services across multiple Availability Zones. Skedulo uses load balancers and health checks to route connections to healthy services, and a staged deployment strategy to verify new service instances before retiring old ones. The production system is designed to eliminate single points of failure where possible.
4.D. Disaster Prevention and Recovery
Skedulo monitors the stability and availability of customer infrastructure and automatically recovers from disruptions, including application and database failures. In a disaster, Skedulo restores applications from the last healthy build image and restores data from the most recent cross-region backup, in line with the Recovery Time and Recovery Point Objectives defined in Skedulo's Business Continuity and Disaster Recovery Plan. Backup restoration is tested at least annually.
5. Skedulo Internal Security
5.A. Skedulo Access
We do not access or use customer data for any purpose other than developing and operating the Services and as required by law. Skedulo workforce members are granted least-privilege access to customer environments only when a specific business need arises, and access is reviewed regularly.
5.B. Security Management
Skedulo manages information security consistent with ISO/IEC 27001:2022, SOC 2 Type II, the NIST Cybersecurity Framework (CSF) 2.0, and applicable legal and regulatory requirements such as HIPAA and GDPR.
Disclaimer
Notwithstanding Skedulo's extensive efforts, such security measures may not prevent all loss, misuse, or alteration of information, and we cannot guarantee absolute security. We will retain your information for as long as your account is active or as needed to provide you Services. If you wish to cancel your account or request that we no longer use your information, contact us at privacy@skedulo.com. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. For more information, please see our Privacy Policy.