Data security is critical to everything we do.

Keeping your data secure is one of the most important things Shaman does. We go to considerable lengths to ensure that all data stored in Shaman is handled securely.

Information security policies

Our Information Security Policy provides the framework by which we take account of our core principles of confidentiality, integrity and availability. It is the cornerstone in our on-going commitment to safeguard the information we hold or are responsible for against inappropriate disclosure; and is available to those who should be able to access it. Its primary purpose is to enable all Shaman staff to understand their responsibilities, and empower them to build a secure platform based on best practices.


  • All of our services run in the cloud. Shaman does not run own load balancers, DNS servers, or physical servers.
  • Our services and data are hosted in Amazon Web Services (AWS) facilities in the EU.
  • All of our infrastructure is spread across 2 AWS data centers (availability zones) and will continue to work should any one of those data centers fail unexpectedly.
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.

Service Levels

  • The Shaman platform is not solely dependent on online availability as all content is offline available on all tablets
  • We have uptime of 99.0% or higher.


  • All customer data is stored in the EU.
  • Shaman is a multi-tenant platform, but we offer individual datastores for each customer.
  • Data in rest is protected by encrypted AWS buckets and encrypted RDS databases.
  • All data sent to or from Shaman is encrypted in transit using 256 bit encryption.
  • Our API and application endpoints are TLS/SSL only and score an “A+” rating on SSL Labs’ tests.
  • We backup data continuously and have a roll back procedure that we can execute within 4 hours

Authentication and permissions

  • Shaman is served 100% over https. Shaman runs a zero-trust corporate network.
  • Our development team has two-factor authentication (2FA) enabled and strong password policies
  • Shaman enables permission levels (principle of least privilege) to be set for all our developers.
  • We do not store user passwords.
  • We offer role bases access for customers.


  • On an application level, we produce audit logs for all user activities, and use S3/Glacier for archival purposes.
  • All access to Shaman is logged and audited.
  • All developer activities on production environment are logged and stored for minimal 5 years.

Information handling policies

  • All Shaman employees devices are encrypted.
  • All Shaman employees adhere to our email, chat, and social media policies.
  • All Shaman employees have signed DNA and liability agreements.

Security Audits

  • We engage with well-regarded third-party auditors to audit our code-base, and work with them to resolve potential issues.