Security & Compliance
Native cloud-based service
SabeeApp has been developed to be cloud-based, which has many positive aspects. All you need is an internet connection, a web browser, and an active SabeeApp Account. SabeeApp can not be installed on a computer, so certain functions and services work differently from old on-premise software.
The SabeeApp program does not run on a physical server but on AWS (Amazon Web Services) cloud infrastructure, which is a SAAS (Software as a Service) platform detailed below.
SabeeApp uses a so-called shared database and code base, or in other words; it facilitates a multi-tenant infrastructure. This means that more customers are connected to one database. We are using a shared database and a code base and all of our customers are using this code base or this type of installation. One of the main advantages of this is that every customer is using the most up to date version of the software. Of course, this does not mean that due to this structure, the security is being compromised at all. We also use different user permissions in SabeeApp, and in a shared multi-tenant system, a customer can be identified as a different user account.
Infrastructure
SabeeApp software is facilitated by the cloud system of AWS (Amazon Web Services) in their Amazon data centre in Ireland. All services used by AWS are based on multi-zones, so if one zone is out of order, the rest of the system can overtake it.
- Route53
- WAF (Web Application Firewall)
- S3 (Simple Storage Service)
- ALB (Application Load Balancer)
- VPC (Virtual Private Network)
- RDS (Relational Database Service)
- ElastiCache
- Elasticsearch Service
- CloudWatch (monitoring, alarming)
- KMS (Key Management Service)
- Certificate Manager
- OpsWorks
- CodeCommit
Third-party service providers
- Beanstalk (svn, git) - Source code sharing
- Github - Source code sharing
- Google Analytics - for analysis purposes
- Twillio - Text message provider
- Mandrillapp, Mailchimp - emailing service
- Technical stack (dev, test, prod)
At SabeeApp, we use the following programming language: PHP, Javascript, and Bootstrap, and we have the following development stages:
Database security, data security, disaster recovery
As it is a cloud-based system, data loss can occur if the fault or problem is related to the database or the file system where PDFs or other documents are stored.
The following protocols, and solutions are in place in order to minimize the risk of data loss:
- Real-life data is stored in multiple databases due to continuously replicated database
- Every night a security copy is made, which can be restored in minutes, from which we store the last 9 copies.
- Between the RDS and EC2 machines the communication is through an encrypted channel.
- The database can only be reached from the internal system, or through the SSH system by connecting to the main server.
- Sensitive data in the database is stored with different encryption, for example, credit cards with 2-key encryption and passwords with salted SHA-512 encryption
- The database is divided into three zones, and if one zone is out of order, another zone will take over automatically.
Incident management procedure
At SabeeApp, every incident is solved by following a strict protocol and then documented. This protocol is available for every SabeeApp employee for internal use.
We use the following processes in case of an incident:
- Identifying the problem
- Communicating the problem to the whole SabeeApp Team
- Naming the incident coordinator, if necessary
- Communicating the problem to the customer in case the incident is related to a customer
- Eliminating the problem
- Avoiding the re-occurrence of the problem (if necessary, check and change protocol)
- Recovering data and source code if needed
- Making scripts and running them in case replacement / modification of data is needed
- Informing technical partners if necessary
- Informing customers about solving the incident
- Documenting the incident
- Infrastructure security (amazon security measures, pentest, tl, MFA)
Infrastructure security
Due to the AWS cloud system administration, updating, and security issues of the servers are the responsibility of Amazon engineers. The attacking point is minimized as much as possible due to the big engineering and security team.
Login credentials to AWS are only given to colleagues for a good reason, and they are only allowed to use it with strict security measures ( using strict password and MFA)
With the help of a third party we are regularly doing black and grey box penetration tests in order to identify the system’s vulnerability.
We are also regularly analyzing the code security and quality with the SonarQube tool.
All data traffic is encrypted with at least TLS 1.2 encryption and every data that we store is encrypted.
All passwords stored by SabeeApp are hashed, we never store any password or secretive data as text.
Logging the performance of the internal system is based on multi level.
People security management
- Every colleague’s employment contract contains information about data handling and agreement of secret-keeping duty. Every new colleague’s training includes data protection and security training.
- Connectivity to AWS is only provided for a good reason and if it is necessary for work
- Our engineers have reading rights only to our live database.
- For internal use and where possible, we only use high security passwords managed by 1 Password, and we are using MFA identification where possible.
- Our colleagues regularly have security and data security training.
Certifications
- PCI - DSS Level1 AOC
- NTAK certification
- VIZA certification