Overview
Securiti respects our customers' privacy and keeping our customers' data protected at all times is our highest priority. This security policy provides a high-level overview of the security practices put in place to achieve that objective.
Have questions or feedback? Feel free to reach out to us at [email protected].
Dedicated security team
Our security team comprises security experts dedicated to improving the security of our organization. Our team has played lead roles in designing and building highly secure Internet facing systems at companies ranging from startups to large public companies like Symantec, BlueCoat, Cisco, Qualys, Elastica and WiChorus. Our employees are trained on security incident response and are on call 24/7.
Infrastructure
Our solution is hosted on Amazon Web Services(AWS) and Google Cloud(GCP). AWS and GCP are responsible for the security of the underlying cloud infrastructure and SECURITI owns the responsibility of securing the workloads we deploy on them. AWS and GCP computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. You can read more about their practices in the links here: AWS, GCP.
Securiti is SOC2 Type II certified. A copy of the SOC2 certificate can be made available upon request to prospective and current customers. Securiti also holds the ISO 27001:2022 and ISO 27701:2019 certifications.
Our solution is engineered to make use of multiple availability zones in a given AWS (or GCP) region and autoscales as needed to provide a highly available and reliable service.
Network level security monitoring and protection
Securiti’s network architecture consists of multiple security zones with different tiers confined to their own zones. In particular, internet-facing endpoints are in their own zone and do not have direct access to the database tier or other internal services.
For AWS environments, AWS GuardDuty is used to actively monitor all cloud trail and VPC flow logs for any anomalies or security incidents. AWS Security Hub is used to check all the infrastructure policies and configuration against best practices and raise alerts. A well-known open-source Host-based Intrusion Detection (HIDS) is used to monitor both the hosts and containers. AWS WAF provides the Web Application Firewall protection.
For GCP environments, GCP Cloud IDS is used to actively monitor all north-south traffic for any anomalies or security incidents. GCP SCC is used to check all the infrastructure policies and configuration against best practices and raise alerts. GCP Cloud Armor provides the Web Firewall protection.
The host and container images are scanned periodically for vulnerabilities - any vulnerabilities found are patched as per industry and SOC2 guidelines.
DDoS protection
We use AWS Shield and Google Cloud Armor as the Distributed Denial of Service (DDoS) mitigation service.
Encryption
Encryption in transit
All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).
Encryption at rest
Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused. The encryption keys for at-rest encryption are rotated annually.
Any customer data that is identified and cataloged by SECURITI as personal data is subjected to a one-way, irreversible hash and stored in the virtual database instance of the customer. At no point, such cataloged personal data is captured in clear-text in logs or databases.
All sensitive configuration data (e.g. passwords, database or SaaS credentials) is encrypted using best practice encryption algorithms in the database. The encryption key is rotated annually.
Data retention and removal
We retain our customers’ data for a period of one business week after a deletion request is received. All data is then completely removed from our systems. Every customer can request the removal of their account by contacting support.
Business continuity and disaster recovery
We back up all our critical assets on a daily basis and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted. All critical assets are configured with redundancy and thus provide high availability. Daily backups are copied over to a different AWS or GCP region for disaster recovery. The securiti services are provisioned in the Disaster Recovery region using the pilot light strategy for a quick recovery.
Patch Management
- We use AWS Inspector to check for vulnerabilities in our host images and Sysdig Anchore to check for vulnerabilities in our container images.
- Critical and severe vulnerabilities are addressed in the current release under test. All other vulnerabilities are scheduled for future releases.
- If a critical or severe vulnerability impacts any internet-facing application, we study the conditions under which the vulnerability can be exploited and, if we conclude that our applications are susceptible to exploitation, we patch our production systems immediately with a hot-fix, usually with a turn-around time of less than a day.
Application security monitoring
- We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach. We also use technologies to monitor exceptions, logs and detect anomalies in our applications.
- We collect and store logs to provide an audit trail of our applications activity
- Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.
Application security protection
- We use AWS WAF and GCP Cloud Armor as Web Application Firewalls to identify and block the OWASP Top 10 attacks in real-time.
- We use security headers to protect our application from various attacks. Please check SecurityHeaders.io for our current grade.
Secure development
Our development methodology follows security best practices and frameworks (e.g. OWASP Top 10).
- Developers participate in regular security training to learn about common vulnerabilities and threats
- We review our code for security vulnerabilities
- We regularly scan our host and container images to address the known vulnerabilities and also proactively update the dependencies.
- We use static code analysis to identify defective code.
- With every major release, we use the BURP Suite to check for vulnerabilities and remediate them as per the industry-standard best practices by taking their severity into account.
Responsible disclosure
Securiti is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you are a dedicated security researcher or vulnerability hunter and have discovered a security flaw in the Securiti platform including the cloud application and infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Securiti. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not known to us. While reporting the security vulnerability to Securiti’s Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details. We determine the impact of vulnerability by looking into the ease of exploitation and business risks associated with the vulnerability.
As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Securiti’s security team commits to:
Acknowledge the receipt of reported security vulnerability in a timely fashion
- Notify you when the vulnerability is remediated
- Extend our gratitude by providing a token of appreciation in supporting us to make our customers safe and secure
- Please send the details of the discovered vulnerability or any security issue to:Â [email protected]
Accepted vulnerabilities are the following
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
- Code or database injections
This bug bounty program does NOT include
- Account/email enumerations
- Denial of Service (DoS)
- Attacks that could harm the reliability/integrity of our business
- Spam attacks
- Clickjacking on pages without authentication and/or sensitive state changes
- Mixed content warnings
- Lack of DNSSEC
- Content spoofing / text injection
- Timing attacks
- Social engineering
- Phishing
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Vulnerabilities requiring exceedingly unlikely user interaction
- Exploits that require physical access to a user's machine
User protection
As with most cloud services, access to the Securiti platform requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Securiti platform service, it is the customer’s responsibility to manage which end users should be given access. Customers should also define when access should be taken away from the end users. For example, access should be revoked upon end user’s separation from employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Securiti platform service.
Brute-force password attacks are thwarted by requiring users to answer a captcha if our application is not integrated with a single-sign-on vendor.
Single sign-on
Single sign-on (SSO) can be implemented by our enterprise customers. We recommend making use of the additional protections (such as 2FA) that are offered by SSO vendors.
Role-based access control
Advanced role-based access control (RBAC) is offered on all our customer accounts and allows our users to define roles and permissions.
Compliance
California Consumer Privacy Act (CCPA)
We’re compliant to the California Consumer Privacy Act (CCPA). Our commitment towards CCPA is outlined here.
General Data Protection Regulation (GDPR)
We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.
Payment information
All self-serve payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.
Employee access
Our strict internal procedure prevents any employee from gaining access to customer data. A subset of SECURITI's Personnel have access to customer data as necessary to support the platform. Individual access is granted based on the role and job responsibilities of the individual. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis. Our employees sign a Non-Disclosure and Confidentiality Agreement to protect our customers' sensitive information.