Security Policy

CLOUDCODE Pte. Ltd.

This Security Policy describes IRBIS’s security program and technical and organizational security controls to protect customer data from unauthorized use, access, disclosure, or theft and safeguard IRBIS services. As security threats evolve, IRBIS continues to update its security program and strategy to help protect customer data and IRBIS services. Accordingly, IRBIS reserves the right to update this Security Overview from time to time; any update will not materially reduce the overall protections stated in this Security Overview.

Security Program

IRBIS maintains a risk-based security assessment program. The framework for the IRBIS security program includes administrative, organizational, and technical safeguards designed to protect IRBIS services and the confidentiality, integrity, and availability of customer data. The IRBIS security program is appropriate to the nature of the IRBIS services and the size and complexity of IRBIS's business operations.

Confidentiality

All IRBIS employees and contract personnel are bound by contractual agreements and IRBIS internal policies regarding maintaining the confidentiality of customer data and are contractually obligated to comply with these obligations.

People Security

All IRBIS employees must complete security and privacy training, which covers IRBIS security policies, security best practices, and privacy principles. All application passwords must be saved in a password manager. Each service must have a unique password. Where available, two-factor authentication (2FA) is required, preferably using a physical key or, alternatively, a 2FA application. SMS 2FA is not allowed.

Third-Party Vendor Management

Vendor Assessment

IRBIS may use third-party vendors to provide certain services. IRBIS conducts a security risk-based assessment of prospective vendors before working with them to validate they meet IRBIS security requirements.

Vendor Agreements

IRBIS enters into written agreements with all vendors, which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for customer data that these vendors may process.

Hosting Architecture and Data Segregation

Google Cloud Platform

IRBIS services are hosted on Google Cloud Platform (GCP) in Germany and Finland. Customer data stored within GCP is encrypted at all times. GCP does not have access to unencrypted customer data. More information about GCP security is available at https://cloud.google.com/docs/security/overview/whitepaper.

Databases

Databases are not open to the public; any connection from a disallowed IP address will be rejected. Only connections from within IRBIS’s internal network (on Google Cloud or the Tailscale network) are allowed. When possible, data is pseudonymized, particularly data related to email verifications, to prevent exploitation in case of a breach. OAuth and refresh tokens are stored encrypted using the aes-256-cbc algorithm, and passwords are stored encrypted using the bcrypt function.

Services

For IRBIS services, all network access between production hosts is restricted, using access control lists to allow only authorized roles to interact within the production network. Access control lists are used to manage network segregation between different security zones in production and corporate environments and are reviewed regularly.

Security by Design

IRBIS follows security by design principles when designing its services, which includes internal security reviews before deploying new services or code, penetration testing of new services by independent third parties, and regular scans to detect potential security threats and vulnerabilities.

Access Controls

Provisioning Access

To minimize the risk of data exposure, IRBIS follows the principle of least privilege through a role-based access control model when provisioning system access. An employee's access to customer data is promptly removed upon termination. Authorized users must have a unique username and password and enable multi-factor authentication to access the production environment. IRBIS logs high-risk actions and changes in the production environment. By default, links holding data (e.g., password reset, email change, email validation) are encrypted using the aes-256-cbc algorithm. Automation is used to detect deviations from internal technical standards, including malicious usage.

Password Controls

Users cannot create an account on IRBIS using a compromised password from the haveibeenpwned.com database.

Logs

The following logs of actions are stored:

• Every HTTP request is logged on Google Cloud Logging.

• Every sensitive action by users is stored in the database.

• Every action by support agents is stored in the database.

Vulnerability Management

IRBIS maintains controls to mitigate the risk of security vulnerabilities by using third-party tools to conduct regular vulnerability scans in IRBIS’s infrastructure and systems. Critical software patches are evaluated, tested, and applied proactively.

Customer Data Backups

IRBIS performs the following backups of its data:

• On-site backups (managed by Google, performed daily), encrypted at rest, using the Advanced Encryption Standard (AES) algorithm (further information can be found at https://cloud.google.com/docs/security/encryption/default-encryption).

• On-site backups (managed by IRBIS, performed daily), stored in a Google Cloud Storage bucket (GCS), encrypted at rest via GCS (further information can be found at https://cloud.google.com/docs/security/encryption/default-encryption).

• Off-site backups (managed by IRBIS, performed weekly) encrypted through the age algorithm.

Last updated: Sep 02, 2023