Information Security Controls
- Administrative controls
- Technical and Operational Controls
- Physical Controls
- User protection
- Payment information
Keeping our customers' data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at firstname.lastname@example.org
Web1on1 implements administrative, technical and physical controls over systems and data to protect their confidentiality, integrity and availability. Controls are implemented in accordance with industry and security best practices to address the appropriate level of risk. Below is a summary highlighting Web1on1’s implemented information security controls over its entire infrastructure.
Peter de Vos (CTO) ) is responsible for information security ensuring confidentiality, integrity and availability of systems and data (hereafter: Security Controls)
- All parties working with or for Web1on1 that process personal data subject to the Data Processing Agreement are required to maintain adequate Security Controls.
- Employees/contractors acknowledge responsibility for security,
- Employees have knowledge of security policies
- Employees pledge compliance with acceptable use both at hire and annually
- A security awareness program provides instruction on security and privacy practices
Policy and Standards, User Awareness
- Security policy and standards are developed and maintained.
- Security policies are reviewed annually and updated as needed or required.
- Security policies have been devised on the following subjects:
- Acceptable use Policy
- Information classification Policy
- Clean Desk Policy
- Password construction Policy
- Password protection Policy
- Data Breach Policy
- International Travel policy
- Physical Access & Control Policy
- Security Policies have been communicated to stakeholders
- Policies and procedures are in place to identify the need to assess the risk, and address use and management of emerging or disruptive technologies
Risk Assessment and Audits
- Annual security risk assessment is performed to identify & prioritize threats and vulnerabilities
- Data are classified in accordance with risk assessment
- Risk assessment of the use of new technologies or high-risk data processing activities is conducted before implementation of such technologies/ high risk data processing.
- Periodic compliance reviews are performed via internal audit annually
- Contractual compliance security audits are conducted with partners and suppliers
- Security incident management program is implemented and integrated with overall emergency and problem management processes
- Data Breach policy is in place
- Data Breach register is in place
Contact with Authorities
- In the event of a data breach which requires notification with the authorities
- In the event authorities request proof of compliance with applicable Privacy law and regulation or demand access to Web1on1 data
Technical and Operational Controls
- Proper authentication is required to access systems and data, on-site and off-site
- All Systems containing Protected Data are only accessible through Two-factor authentication and or single sign-on.
- Authentication is issued subject to data classification and on a need to access basis
- Authentication is issued subject to security and confidentiality undertakings
- Individuals are assigned unique user ids and require passwords and two-factor authentication to access applications
- Access logs are maintained
- Upon termination of employment or assignment, employees and contractors are removed immediately from access to any company services and all company-issued property is collected
- Appropriate data controls (access, use, destruction, etc) are implemented based on Web1on1’s data classification
- Secure protocols are required when appropriate
- IPS/IDS & Firewalls are implemented to secure corporate network
- Use of public networks to transfer personal data is not allowed
Data Processing Integrity
- Incident response, change control and problem management procedures are implemented to ensure processing integrity
- High availability architecture and backups are utilized and maintained for critical systems
- Network monitoring is outsourced to a Managed Services Provider
- Audit logs are maintained and reviewed for critical systems
- Periodic vulnerability scans and source code scans are performed by Qualis
- Annual Pen Testing is outsourced
- Backup facilities for back-up copies for contingency and disaster Recovery
Third party risk assessment
- Periodic vulnerability scans regarding third party services and assets
Web1on1 Facility Access
- All visitors are registered
- Periodic access reviews performed
- Workplaces have secure storage locations and policies regarding end of day individual security responsibilities
- Web1on1 Data Centers are outsourced, no Web1on1 personnel can access Data Centers
- Scheduled review and maintenance of equipment and structures is performed
- Issuance and configuration of user systems is standardized and centrally managed
- Secure equipment disposal and transfer processes are implemented
All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Google Cloud Platform. They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here: Google Cloud Platform
We use Google data centers in the The Netherlands and Belgium.
Network level security monitoring and protection
Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:
- A firewall that monitors and controls incoming and outgoing network traffic.
- An Intrusion Detection and/or Prevention technologies (IDS/IPS) solution that monitors and blocks potential malicious packets.
- IP address filtering
We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.
Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.
Data retention and removal
We retain your usage data for a period of 90 days after your trial, or 30 days after archiving an organization. All data is then completely removed from the servers and databases.
Messages are retained between 30 days and 18 months, depending on importance. Inactive or archived user- or contact data is retained for a period of 90 days.
Business continuity and disaster recovery
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
Application security monitoring
- We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
- We use technologies to monitor exceptions, logs and detect anomalies in our applications.
- We collect and store logs to provide an audit trail of our applications activity.
- We use monitoring such as open tracing in our microservices.
- We use telemetry in our client-side applications to monitor and improve performance.
Application security protection
- We use security headers to protect our users from attacks. You can check our grade on this security scanner.
- We use security automation capabilities that automatically detect and respond to threats targeting our apps.
- We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25).
We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program.
Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.
You can report vulnerabilities by contacting email@example.com. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.
Accepted vulnerabilities are the following:
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
- Code or database injections
This bug bounty program does NOT include:
- Logout CSRF
- Account/email enumerations
- Denial of Service (DoS)
- Attacks that could harm the reliability/integrity of our business
- Spam attacks
- Clickjacking on pages without authentication and/or sensitive state changes
- Mixed content warnings
- Lack of DNSSEC
- Content spoofing / text injection
- Timing attacks
- Social engineering
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Vulnerabilities requiring exceedingly unlikely user interaction
- Exploits that require physical access to a user's machine
Account takeover protection
We protect our users against data breaches by monitoring and blocking brute force attacks.
Single sign-on (SSO) is available using your Google account. Other Identity Providers are supported as an add-on for our enterprise customers.
Role-based access control
Role-based access control (RBAC) is offered on all our accounts and allows our users to assign roles and permissions.
We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.
All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.