Security & Compliance
Native cloud-based service
SabeeApp has been developed to be cloud based which has lots of positive aspects. All you need is an internet connection, web browser and an active SabeeApp Account. SabeeApp can not be installed on a computer therefore certain functions, services work differently to an old on premise software.
SabeeApp program does not run on a physical server, instead on AWS (Amazon Web Services) cloud infrastructure, which is a SAAS (Software as a Service) platform detailed below.
SabeeApp is using a so-called shared database and code base, or in other word is facilitating a multi-tenant infrastructure. This means that more customers are connected to one database. We are using a shared database and a code base and all of our customers are using this code base or this type of installation. One of the main advantages of this is that every customer is using the most up to date version of the software. Of course this does not mean that due to this structure the security is being compromised at all. We also use different user permissions in SabeeApp and in a shared multi-tenant system a customer can be identified like a different user account.
SabeeApp software is facilitated by the cloud system of AWS (Amazon Web Services) in their amazon data centre in Ireland. All services used by AWS are based on multi-zones so that if one zone is out of order the rest of the system can overtake the whole running.
- WAF (Web Application Firewall)
- S3 (Simple Storage Service)
- ALB (Application Load Balancer)
- VPC (Virtual Private Network)
- RDS (Relational Database Service)
- Elasticsearch Service
- CloudWatch (monitoring, alarming)
- KMS (Key Management Service)
- Certificate Manager
Third-party service providers
- Beanstalk (svn, git) - Source code sharing
- Github - Source code sharing
- Google Analytics - for analysis purposes
- Twillio - Text message provider
- Mandrillapp, Mailchimp - emailing service
- Technical stack (dev, test, prod)
Database security, data security, disaster recovery
As it is a cloud based system losing data can occur if the fault or problem is related to the database or the file system where pdf or other documents are stored.
The following protocols, solutions are in place in order to minimize the risk of data loss:
- Real life data is stored in multiple database due to continuously replicated database
- Every night a security copy is made, which can be restored in minutes, from which we store the last 9 copies.
- Between the RDS and EC2 machines the communication is through an encrypted channel.
- The database can only be reached from the internal system, or through the SSH system by connecting to the main server.
- Sensitive data in the database is stored with different encryption, for example credit cards with 2-key encryption and passwords with salted SHA-512 encryption
- The database is divided into 3 zones and in case of one zone being out of order another zone will take over - automatically.
Incident management procedure
At SabeeApp every incident is solved by following a strict protocol and then documented. This protocol is available for every SabeeApp employee for internal use.
We use the following processes in case of an incident:
- We use the following processes in case of an incident:
- Identifying the problem
- Communicating the problem to the whole SabeeApp Team
- Naming the incident coordinator, if necessary
- Communicating the problem to the customer in case the incident is related to a customer
- Eliminating the problem
- Avoiding the re-occurrence of the problem (if necessary check and change protocol)
- Recovering data and source code if needed
- Making scripts and running them in case replacement / modification of data is needed
- Informing technical partners if necessary
- Informing customers about solving the incident
- Documenting the incident
- Infrascture security (amazon security measures, pentest, tl, MFA)
Due to the AWS cloud system administration, updating, and security issues of the servers are the responsibility of Amazon engineers. The attacking point is minimized as much as possible due to the big engineering and the security team.
Login credentials to AWS are only given to colleagues for a good reason and they are only allowed to use it with strict security measures ( using strict password and MFA)
With the help of a third party we are regularly doing black and grey box penetration tests in order to identify the system’s vulnerability.
We are also regularly analyzing the code security and quality with the SonarQube tool.
All data traffic is encrypted with at least TLS 1.2 encryption and every data that we store is encrypted.
All passwords stored by SabeeApp are hashed, we never store any password or secretive data as text.
Logging the performance of the internal system is based on multi level.
People security management
- Every colleague’s employment contract contains information about data handling and agreement of secret keeping duty. Every new colleague’s training includes data protection and security training.
- Connectivity to AWS is only provided for a good reason and if it is necessary for work
- Our engineers have reading rights only to our live database.
- For internal use and where possible we only use high security passwords managed by 1 Password and we are using MFA identification where possible.
- Our colleagues regularly have security and data security training.
- PCI - DSS Level1 AOC
- NTAK certification
- VIZA certification