Security Overview

Owned by Andreas Schmidt
Last updated: Feb 10, 2022
2 min read

This document describes our efforts to ensure high security standards for the services we offer.

 

Physical Access

All our services are hosted in AWS. Their data centers are at least SOC-2 compliant and providing a wide range of industry-specific compliance certifications. These certifications address a range of security controls including physical and environmental security and protection. Access to the data centres is limited to authorized personnel, and verified by biometric identity verification measures. Physical security measures include on-premises security guards, closed circuit video monitoring, man traps, and additional intrusion protection measures.

Architecture

On a physical level, the infrastructure is separated into a public network for static files and the load balancer and a private network for the servers and the database. This limits the attack vectors to our infrastructure.

Encryption

Data transfered from and to our services are encrypted with TLS 1.2. The implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

All customer data that are stored in our environment are encrypted on data drive level.
Additionally there are data we consider sensitive (e.g. access tokens) not even our support staff should have access to. These data are additionally encrypted within the database with AES-256.

Backups

Amazon RDS snapshots are retained for 30 days with support for point-in time recovery and are encrypted using AES-256 encryption. Backup data is not stored offsite but is replicated to multiple data centers within a particular AWS region. We also perform quarterly testing of our backups.

Key Management

yasoon uses the AWS Key Management Service (KMS) for key management. The encryption, decryption, and key management process is inspected and verified internally by AWS on a regular basis as part of their existing internal validation processes.

Deployments

We use Azure DevOps CI for deployments and releases.
All code changes have been reviewed and approved by 4-eyes principle.

Access to customer data

All access is restricted to privileged groups of yasoon employees unless requested and reviewed, with additional authentication requiring 2FA. All accounts are connected and managed by our central AzureAD using SSO.

Security Testing

See Marketplace Security Bug Bounty Program