Introduction
Amino Orchestrate is a cloud-based device management platform that enables remote provisioning, monitoring, and maintenance of deployed devices. This document outlines security measures, best practices, and compliance guidelines to protect user data and ensure secure operations.
In this article
Personnel and Awareness Programs
Business Continuity and Disaster Recovery
Summary
Data Diagram
Amino has created a data flow diagram that illustrates how information moves through Orchestrate and specifies where sensitive data is stored.
Compliance and Notifications
GDPR, CCPA, and PCI
Amino confirms it is compliant with GDPR and meets requirements for CCPA and PCI. While Orchestrate does not require PCI-DSS certification, Amino confirms it does not process payment card data. Amino infrastructure providers (AWS and Google Cloud) are externally audited and certified SOC 2, ISO/IEC 27001.
Security Committee Governance
Amino maintains a monthly Security Committee comprising senior IT and executive leadership. The committee reviews all aspects of system and business security, including incidents, training programs, and continuous improvement plans.
Downtime Notifications
Customers receive notice of any planned downtime at least two weeks in advance.
NIST Cybersecurity Framework Alignment
Orchestrate’s security posture adheres to the NIST CSF functions (Identify, Protect, Detect, Respond, Recover) as part of the Amino security governance strategy:
- Identify: Asset classification and inventories for Orchestrate/Engage are documented in Jira and Confluence.
- Protect: Sophos endpoint protection, SFTP transition from FTP, strict logical and physical access control.
- Detect: Monthly vulnerability scans via Outpost24 and intruder.io; alerting via Azure and Sophos.
- Respond: Playbooks for ransomware, DDoS, and data breaches are actively maintained.
- Recover: Veeam-based restore testing and documented DR processes enable 12-hour failover recovery.
This alignment supports robust auditing and continuous improvement, with regular updates by Amino’s IT and Security teams
Data Handling and Security
Data Processing
Orchestrate manages Amino H200 devices, handling settings and performance data. It does not process or store Personally Identifiable Information (PII).
Identification
Devices are identified by serial numbers and MAC addresses. All data transfers use mTLS and HTTPS.
Data Entry
The Orchestrate API, secured by mTLS, and the web UI both allow data entry. The web UI supports password authentication or Single Sign-On (SSO). Amino’s Terms and Conditions prohibit entering PII in free text fields. Data in transit is always secured via HTTPS.
Hosting and Access Locations
Customer data is hosted in Germany, within the AWS EMEA region. Support access is provided from Portugal and Hong Kong with strict RBAC enforcement and activity logging.
Third-Party Hosting
All Orchestrate services are hosted by AWS and Google Cloud. These providers have undergone external audits and maintain applicable security certifications.
Access Controls
Single Sign-On (SSO)
Orchestrate supports SAML 2.0-based SSO with providers such as Microsoft ADFS, Microsoft Azure, Okta, and Cisco Duo Security. SSO is included under the Orchestrate Premium tier at no extra cost.
Password Requirements
Passwords must include uppercase and lowercase letters, plus at least one digit or non-alphabetic character.
Principle of Least Privilege
Amino enforces least privilege and separation of duties. High-privilege or administrator accounts exist where necessary.
Role-Based Access Control (RBAC)
Orchestrate uses RBAC with roles such as system administrator, administrator, technical user, and regular user. These roles manage system features, including device management, troubleshooting, and analytics. Permissions are assigned to each role, and administrators can manage them through the web UI.
Privileged Access Lifecycle
A formal Privileged Access Management (PAM) process is in place to control and monitor administrator access. Regular access reviews are performed by managers or system owners.
Multi-Factor Authentication (MFA)
MFA is available as an option in the Orchestrate platform for all users.
Source Code Management
Amino maintains version control practices with version numbering and secure code repository access.
Data Security
Encryption
Data in transit is protected using HTTPS/TLS. Data at rest is protected using AES-256.
Network Transfer
Sensitive data moving within the Amino network is encrypted.
Data Loss Prevention
Data is replicated, and daily backups are maintained for seven days.
Device Decommissioning
Devices are securely wiped following NIST 800-88 guidelines. Deleted data is permanently removed unless it resides in backup snapshots.
Third-Party Hosting
Amino uses AWS and Google Cloud for hosting.
Backups
Full backups are performed daily and secured in the AWS EU region.
Availability
High availability is ensured through multiple deployment instances, monitoring, and automatic failover.
Infrastructure
Multi-Tenant Environment
Orchestrate uses a multi-tenant architecture with logical separation of customer data. Data is tagged with unique identifiers and filtered at the application layer to prevent unauthorized access.
Data Storage Location
Data is stored in the AWS EMEA region.
Secure Configuration
Cloud security settings are reviewed regularly, and monthly security scans are conducted. Amino maintains an inventory of software and applies patches as needed.
Network Security Controls
A Web Application Firewall (WAF) operates in blocking mode, performing rate limiting and protection against DoS, DDoS, and brute force attacks.
Application and Metadata Isolation
Application and metadata are logically segregated, supporting secure access boundaries between tenants.
Secure Development Practices
While Amino does not follow a formally documented Secure SDLC or DevSecOps framework, the company implements secure development practices, including manual code review and testing.
Logging and Monitoring
Audit Logs
User activity audit logs are accessible to administrators via the UI. System logs are restricted to Amino support and engineering teams.
IT Staff Activity
When Amino staff access customer accounts, those activities are logged. Customers can view these logs via the UI.
Log Storage
Logs are stored in the AWS EMEA region and protected using RBAC and file permissions.
Security Monitoring
Logging, monitoring, and alerting are in place at multiple levels:
- Application level
- Database level
- Operating System/Server level
- Privileged/Admin access level
Incident Response
Executive Security Committee
Amino has a dedicated Security Committee comprising IT and executive members that meets monthly to review all aspects of system and business security. The reviews include any security incidents, results of monthly automated security scans, and the management of all aspects of business continuity and security training.
Security Breaches
Orchestrate has not experienced any known security breaches.
Monitoring
Amino regularly reviews access logs and database activities and performs periodic vulnerability scans.
Incident Response Plan
If an incident occurs, Amino follows a documented plan covering containment, investigation, notification, remediation, and post-incident reviews.
Vulnerability Scans and Patch Management
Vulnerability scans are conducted monthly. The patch management process includes both application and OS layers, with remediation based on issue severity.
Ransomware Response Framework
Amino has a documented ransomware response guideline based on the NIST framework, with clear roles for staff, IT administrators, and management.
Key practices include:
- Immediate isolation of infected systems (network disconnection, Slack/landline comms fallback).
- Staff are trained to report ransomware incidents through multiple channels and avoid interaction with compromised systems.
- IT Admins follow containment and eradication steps: system shutdown, impact assessment, backup validation, and incident reporting.
- Amino coordinates with Chubb Insurance (UKINTC90098) and Marsh for incident response and forensics.
- Public and investor disclosures are coordinated by management, FTI Consulting, and Investec Plc.
This strategy is designed to minimize the spread, protect stakeholders, and ensure structured restoration from validated backups. Password resets and patching are mandatory post-incident steps.
Personnel and Awareness Programs
Security Awareness Training
Security training is conducted more than once annually and includes updated best practices, threat recognition, and secure access handling.
Business Continuity and Disaster Recovery
Disaster Recovery Readiness
Orchestrate forms part of Amino’s broader Kubernetes-based cloud infrastructure and is included in containerized disaster recovery plans. The Beta environment can be promoted within 12 hours as part of the defined DR response.
Orchestrate follows the Orchestrate Disaster Recovery Plan, which outlines tested recovery processes, responsibilities, and fallback strategies. These procedures are subject to tabletop recovery exercises, and backups are handled with Veeam (AES-256 encryption), with restore testing documented in the IT Helpdesk system.
Amino’s DR framework aligns with the NIST "Recover" function, ensuring the ability to restore services in the event of failure. Asset inventory, backup verification, and infrastructure documentation are maintained within Jira Asset Manager and Confluence systems.