Security encompasses numerous facets. On this and subsequent pages, we aim to provide essential information to enhance your understanding of our security strategy.
Physical Access
All our services are hosted in AWS. Their data centers are at least SOC-2 compliant and providing a wide range of industry-specific compliance certifications. These certifications address a range of security controls including physical and environmental security and protection. Access to the data centres is limited to authorized personnel, and verified by biometric identity verification measures. Physical security measures include on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures.
Learn more about digital access of our employees here.
Architecture
On a physical level, the infrastructure is separated into a public network for static files and the load balancer and a private network for the servers and the database. This limits the attack vectors to our infrastructure.
Encryption
Data transfered from and to our services are encrypted with TLS 1.2. The implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
All customer data that are stored in our environment are encrypted on data drive level.
Additionally there are data we consider sensitive (e.g. access tokens) not even our support staff should have access to. These data are additionally encrypted within the database with AES-256.
Backups
Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups.
Key Management
yasoon uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes.
Deployments
We use Azure DevOps CI for deployments and releases.
All code changes have been reviewed and approved by 4-eyes principle.
Single Sign-On
tbd
Data Center
tbd
Security Testing
See Marketplace Security Bug Bounty Program
All our apps are part of the Marketplace Bug Bounty Program.