Security White Paper

Updated: February 3, 2023

asterisk Contents

The information contained in this document represents the current view of Autodesk, Inc. as of the date of publication, and Autodesk assumes no responsibility for updating this information. Autodesk occasionally make improvements and other changes to its products or services, so the information within applies only to the version of Flow Production Tracking offered as of the date of publication. This whitepaper is for informational purposes only. Autodesk makes no warranties, express or implied, in this document, and the information in this whitepaper does not create any binding obligation or commitment on the part of Autodesk.

Introduction

At Flow Production Tracking, we know that the security of your data is critical to your studio’s operation. As the industry shifts to the cloud, Flow Production Tracking knows that security and service models are more important than ever.

The confidentiality, integrity, and availability of your content is at the top of our priority list. Not only do we have a team of Flow Production Tracking engineers dedicated to platform security and performance, we are also backed by Autodesk’s security team, also invests heavily in the security for broad range of industries and customers. We constantly reassess, develop, and improve our risk management program because we know that the landscape of security is ever-changing.

In this document, we outline the practices put in place to maintain secure and dependable operation of Flow Production Tracking at your studio. If you have additional questions about Flow Production Tracking security, please contact us at: flow-production-tracking.security@autodesk.com

Infrastructure

Data center

Amazon Web Service (AWS)

Flow Production Tracking has servers hosted in several regions to provide a better user experience; Amazon's certifications can be found here.

Cloud storage

All Flow Production Tracking sites store media files and attachments in Amazon Simple Structure Storage (S3) in the United States by default, but a client may elect to use another supported region (self-configured by the site's administrator).

Clients can elect to use the Amazon S3 buckets in their own AWS account to store media files and attachments by electing to activate the Isolation features (described below).

Transport

All Flow Production Tracking servers support TLS 1.2 (downgrade to TLS 1.1, TLS 1.0, and SSLv3 is not possible). While the encryption level depends on a negotiation between the client and the server, we do support 256-bit encryption, but still allow 128-bit encryption in some cases.

We have an A-Rating from SSL labs as we have updated our certificates to the latest encryption level, and we also updated our list of ciphers to the strongest ones only.

Network accelerator

Flow Production Tracking is leveraging AWS Global Accelerator to provide faster and more reliable access to Flow Production Tracking for our customers on AWS. AWS Global Accelerator uses the AWS global network to optimize the path from our users to our application.

Multi-tenancy

The Flow Production Tracking Web application is a single tenant application. Each tenant (site) runs in its own process and has its own logical PostgreSQL database.

API access

The Flow Production Tracking functionality is available through a Python API that wraps our HTTPS requests. All HTTPS requests to the Flow Production Tracking server are authenticated, and authentication can be done using either script keys managed in the Client Flow Production Tracking site or usernames and passwords.

Flow Production Tracking also provides a REST API.

Operations

Access to production servers

Logical access to our production servers is restricted to our support and operations team.

Log rotation and retention

Production logs are rotated every day and are kept for a maximum of four weeks.

Monitoring and notifications

Flow Production Tracking uses automated monitoring tools to oversee the proper operation of the system. We employ an incident management process to quickly respond to events that adversely affect Flow Production Tracking. Incidents and maintenance of our data center are posted on the Flow Production Tracking status page for which our customers can register. We have various triggers in place to detect issues in advance that are actively monitored by our 24/7 Monitoring team. These include:

Scheduled maintenance

Whenever possible, maintenance windows will be announced on the Flow Production Tracking status page at least 24 hours in advance.

Our maintenance schedule can be found in the Flow Production Tracking Maintenance Policy.

Operational support

On top of our customer-facing support team, we have technical on-call support for mission critical operational issues. Any issue is diligently reported to our Flow Production Tracking status page that we use to communicate with our users. You can also review the list of past incidents on the Flow Production Tracking status page.

Reliability

As reported by Pingdom in January 2021, our systems reported an uptime of 99.99% in the previous year.

Please note, although we make every effort to stay within or above the mentioned uptime statistic, this section should not be interpreted as an uptime commitment.

Key management

All keys are kept in an encrypted data store accessible only by the operations team.

Disaster recovery

At the moment, our disaster recovery requires us to rebuild our data center using our database backups. We estimate this process would take between 24 to 48 hours depending on the nature of the disaster. The testing of this procedure is exercised on a yearly basis.

Isolation features

Isolation features include, among other features, Media isolation feature and Media traffic isolation feature.

Clients can elect to activate the Isolation features, among other things, to use the Amazon S3 buckets in their own AWS account to store media files and attachments. By activating any of the Isolation features, you are entirely responsible for (i) the validity, security, and execution of the setup of the activated Isolation feature(s), and (ii) proper configuration, access restriction, security and high availability measures of your AWS Account and Services. You therefore become responsible for logging, monitoring, maintenance, key management, encryption, or any other support/operation related task that involves your AWS Account. Flow Production Tracking will not, under any circumstances, be granted access to your AWS environment to perform maintenance or support operations.

Application usage

Event logging

Flow Production Tracking logs most activities as events in an event log. Operations such as modifying, creating, or deleting data are logged. Playing media (Versions) is also logged as an event. Although viewing any given page is not an event, users must be authenticated and authorized to access any page.

User authentication

Credentials

When an Admin creates a new Person in Flow Production Tracking, the new User will receive a welcome email that includes a clickable invitation link. When the User accepts the invitation, Flow Production Tracking will then guide the User through either creating a new Autodesk Identity account or signing in with an existing Autodesk Identity account. Autodesk Identity will give them access to log into their Flow Production Tracking site(s). Learn more information about managing your people and seats here.

User authorization

Permissions are under the customer's control. Customers can create new roles as required by copying an existing role. There are set rules per roles (Artist, Admin, Manager, Client, Vendor) that can be changed. These rules apply to the entire site, not just a project. More information is available in the articles "Permissions" and "Your People."

Data handling

Data storage

Work or application files (e.g., Maya, Nuke, Photoshop files, etc.) are usually stored on a client's local file system, and Flow Production Tracking stores metadata about these files in the cloud (revision number, location on disk, dependencies, etc.). File attachments are uploaded directly to Amazon S3. By default, media associated to Versions is uploaded directly to Amazon S3 in the supported regions and transcoded in AWS. For clients that elected to activate the Media isolation feature , media files and attachments uploaded after the election will be stored in the Amazon S3 bucket in your AWS Account.

Each site has its own database, which runs on one of our PostgreSQL database server clusters. Each database server cluster consists of one primary and one or more replicas that are continuously synchronized.

Data retention period for application data

Application data. Application data is data generated by the application, without the intervention of the users. For example, an entry created in the Event Log following a user action is application data. More concretely, if a user is creating a new Version, the Version itself is client data, while the event generated is application data. The retention period for application data is at Flow Production Tracking’s discretion and subject to change.

Events. Events are a subset of application data, but given their importance for a lot of our clients, we want to call out the events-specific data retention policy. The default retention period for events is six months. After that period, events are extracted from the database and archived on an external permanent storage. Archived events are downloadable through the Flow Production Tracking Web Application by selecting the Archived Data option in the Admin menu:

Archived data

This data is downloadable as CSV files and are archived for a period of five years.

Important:

The download links expire after 24 hours.

Data encryption

All data on Amazon S3 is encrypted at rest using 256-bit AES encryption (details at AWS Server Side Encryption ). Passwords are hashed and salted. Only the salt and the resulting hash are actually stored persistently in our database.

The Flow Production Tracking database is encrypted:

  1. At rest (i.e. when the data written to disk is not being accessed or used)
  2. In transit (since the communication channels between the database and the application are encrypted)
  3. When snapshots (i.e. database backups) are taken
Note:

Customers that elect to activate the Media isolation feature are responsible for the configuration of the encryption of their Amazon S3 buckets.

Access to client data

Client data refers to the data stored in Amazon S3 buckets, such as media files, attachments and metadata.

Flow Production Tracking's access to client data is governed by our Terms of Use. Flow Production Tracking’s product and support teams may access our clients' media files and attachments in relation to a support request or for product improvement purposes.

Electing to activate the Media traffic isolation feature will prevent our support staff from having access to your media files and attachments.

Database backups

Snapshots are taken of our database servers multiple times a day. Database snapshots are encrypted at rest on AWS. Backups of media stored on Amazon S3 are directly managed by AWS.

Data deletion

Upon terminating a relationship with a client, we first remove all access to the client site (meaning, the site continues to exist and could be revived, but is not accessible to the customer). After 30 days, a backup of the database and the uploaded data is made. After another 90 days, all files (database backups, media, and attachments) are then removed from our system.

Clients who elected to activate the Media isolation feature are solely responsible for deletion of media files and attachments in their Amazon S3 buckets in their AWS Accounts.

Personal and payment information

Clients' personal information is stored in our internal database. This includes, but is not limited to client's name, email, login, country, industry, invoices, etc. We share limited personal information with external services in accordance with our Privacy Statement.  Please refer to our Privacy Statement for more details on how Flow Production Tracking collects, uses, stores and processes personal information of our clients.

GDPR

Please refer to our Privacy Statement for more details.

Security Processes

Governance

We partner closely with the Autodesk Security team, led by the Chief Security Officer (CSO), and follow the security governance model including quarterly check-ins and the security champions program.

Audits

We partner with Independent Security Evaluators (ISE) to perform quarterly SAN/CWE controls and OWASP security testing of Flow Production Tracking. The audits currently cover the Flow Production Tracking Web application and micro-services, the Flow Production Tracking Review iOS app, and infrastructure.

All vulnerabilities are remediated within compliance requirements.

Scanning and monitoring

Live intrusion detection systems are installed on all servers, monitored 24/7.

Anti-virus is installed on all servers. Definitions are updated within compliance guidelines.

Vulnerability scans are performed and analyzed on a monthly basis.

Risk management

As of September 2015, Autodesk has implemented a risk management program under the Autodesk Security team, led by Autodesk’s CSO.

Information security policy

We are committed to Autodesk’s Information Security Policy and Standards align with those security requirements.

Asset management

Flow Production Tracking follows Autodesk’s Asset Management Policy. All employee desktops and laptops are centrally managed by Autodesk, which ensures all assets are tracked and properly secured. This includes the proper use of endpoint protection software, automatic locking of workstations, password management, etc. We have a process to update on a periodic basis the inventory of all the servers in the data center that are used in Flow Production Tracking.

Incident management

Any incidents follow Autodesk's Security Incident Response Process (SIRP) and the Flow Production Tracking team is on demand to support this process. For vulnerabilities identified as part of our regular quarterly security audits, they are remediated within compliance requirements.

Account management

Flow Production Tracking accounts are managed from https://manage.autodesk.com/. Learn more about managing your Flow Production Tracking account here.

In order to access client data, members of the Flow Production Tracking team must first authenticate through an Autodesk VPN; second, they must authenticate to an internal database. Once within that database, team members are further restricted by permission rule sets determined by their role. Upon termination of any Flow Production Tracking team member, appropriate revocation or deletion of access is completed in a timely manner.

Secure software development

In order to ensure security is built into the Flow Production Tracking application, we operate on Autodesk’s secure development standard which include practices such as secure development training, threat modeling, and static and dynamic code analysis.

Human resources

Background checks

Background checks are required, where permitted by law, for employees with access to the computing resources and support systems used by the Autodesk teams.

Security awareness

All Autodesk employees must affirm the importance of information security as part of new-employee orientation and yearly thereafter. Employees are required to read, understand, and take a training course on the company’s Code of Conduct. The Code requires every employee to conduct business lawfully, ethically, with integrity, and with respect for each other and the company’s users, partners, and competitors. Autodesk employees are required to follow the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

Confidentiality

New employees must sign a confidentiality agreement. New employee orientation emphasizes the confidentiality and privacy of client data. All employees are bound by non-disclosure agreements with Autodesk. Anyone found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, contract, or relationship with Autodesk.

The information contained in this document represents the current view of Autodesk, Inc. as of the date of publication, and Autodesk assumes no responsibility for updating this information. Autodesk occasionally makes improvements and other changes to its products or services, so the information within this whitepaper applies only to the version of Flow Production Tracking® offered as of the date of publication. This whitepaper is for informational purposes only. Autodesk makes no warranties, express or implied, in this document, and the information in this whitepaper does not create any binding obligation or commitment on the part of Autodesk.

Without limiting or modifying the foregoing, Flow Production Tracking services are provided subject to the applicable terms of use.

Autodesk, the Autodesk logo, and Flow Production Tracking are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2020 Autodesk, Inc. All rights reserved.

Parent page: General Security