- 29 Sep 2022
- 7 Minuten te lezen
Our security and infrastructure
- Bijgewerkt op 29 Sep 2022
- 7 Minuten te lezen
Security is one of the most important aspects of any SaaS application. As a company specializing in SaaS products, we develop our products to be up-to-date with the market. We give the utmost importance to data protection standards, ensuring that your data is in safe hands.
Document360 uses secure partner products such as Algolia and MongoDB Atlas that have been certified to provide TLS standard security and encryption for data in transit. Microsoft's Azure blob storage services have one of the best data security standards to save your project backups in a secure location.
1. Quick summary - Security and infrastructure
- Your data is stored in a remote database hosted by our database service partner, MongoDB Atlas, in a cluster of 3 servers, eliminating any downtime.
- MongoDB Atlas has TLS end-to-end encryption for the network traffic, and the data at rest is stored in encrypted storage volumes.
- The database is backed up daily, weekly, and monthly, and the backups are available for 1 month for restoration.
- Project back-ups are stored in Microsoft Azure blob storage in various geolocations for the consistency and integrity of your data.
- We are cloud-based and have a secured API that can be used to access data with the correct API token that has the proper permissions. This enables you to control the access rights to your project data.
- Document360 is hosted on Microsoft Azure Cloud. Therefore, you can rest assured that the latest security protocols tightly secure your data and that technology meets compliance standards for data security. Microsoft Azure Cloud offers protection against Distributed denial of service (DDoS) attacks by defending against common network-layer attacks through always-on traffic monitoring and real-time mitigation
- The core team is highly technical and understands the importance of security and staying up-to-date with new technologies. They coordinate with an offshore team to provide the best services for the customers.
2. Best practices
Here at Kovai Limited, we believe that best practices create secure and robust applications. We recommend the users of Document360 follow our list of best practices to prevent any unexpected data loss or unauthorized access.
List of best practices:
We do not recommend sharing the API key in public or via less secured networks as it can result in unauthorized data access. The key can be used to view or exploit your data. In such a case, we recommend deleting the key immediately and creating a new API key for your usage.
More Info →
We recommend giving only the required permissions to an API key, as this helps keep the data in safe hands and prevents unauthorized users from modifying the data. For example, for viewing "example" set of data, the API key only needs the GET method. This does not let the users modify the data using the API key.
More Info →
We suggest that the team manager gives the correct access rights to each user as most of our customers have a team that has access rights to the documentation. We make this simple by having roles corresponding to a certain access rights level.
More Info →
We recommend that the users take advantage of the backup functionalities. The automatic backup of the project will happen every day at 00:00 UTC. You can also manually back up your project anytime to keep the changes made safe. Both of these will back up the Settings, Landing Page, Documentation, and Entire Project contents and can be restored at any time to return to a previous version. This process is made available to keep the users in control and to prevent data loss.
More Info →
We recommend you use the option to make the document private if needed. Various customers have different use cases for our product. You might want the documentation to be visible to the public or internal team members. The project owners can make the documentation private in the latter case and make it not visible to the public.
More Info →
3. Security information of integrations and partners
Algolia - Search partner
SOC2 and SOC3 compliant- Algolia follows all SOC 2 best practices to ensure excellence in the AICPA’s five trust service principles. Resulting in securing your data from modern world threats.
The API servers support HTTPS and all the versions of TLS 1.0, 1.1, and 1.2 and are given an A rating by Qualys SSL labs
Algolia isolates each customer's data in separate applications, preventing leakage and exchange of information from preserving the integrity of your data.
MongoDB Atlas - Database service partner
- Network isolation - MongoDB Atlas dedicated clusters are deployed in a unique Virtual Private Cloud (VPC) with dedicated firewalls. This means that a third party can access your private data.
- MongoDB Atlas undergoes independent verification of platform security, privacy, and compliance controls.
- End-to-end encryption - All the network traffic is encrypted using TLS with the flexibility to configure the minimum TLS protocol version. Encryption for data at rest is stored in encrypted storage volumes.
Azure Blob Storage
Encryption in transit - HTTPS, while data transfer is out of the storage and client-side encryption, encrypts the data at the client computer and then decrypts once transferred to the server.
Encryption at rest - Storage-side encryption is always enabled and automatically encrypts storage service data when writing it to Azure Storage. Client-side encryption is also enabled to make the data stored as secure as possible.
Advanced threat protection - Provides an additional layer of security to detect unusual behavior and potentially harmful attempts to access and exploit your storage account.
4. GDPR compliance
- Document360 is GDPR compliant, and we only collect and store information necessary to provide our service with the consent of our customers.
5. Business continuity and disaster recovery
To ensure business continuity, we have High Availability configured for our web apps and database. We have multiple nodes running for individual services, so if one goes down, you still get an uninterrupted experience using Document360.
For any possible disaster - we have our database and data storage replicated in different geo-locations, so your data is always safe with us.
A product roadmap is defined and reviewed periodically by the Product Owner. Security fixes are prioritized and are bundled in the earliest possible sprint. Our DevOps sprints are powered by multi-disciplinary team members, including the Product Owner, Director of Engineering, Developers, and Quality Assurance.
- Code Review
The Quality Assurance team tests all changes and establishes criteria for performing code reviews, web vulnerability assessments, and advanced security tests.
- Quality Assurance
Builds are put through stringent functionality, performance, stability, and UX tests before the build are certified "Good to go".
- Version Control
Source code is managed centrally with version controls, and access is restricted based on various teams assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
- Segregation of Duties
Access to the production resources is restricted to a limited set of users based on the job roles.
Highly Resilient Architecture
The architecture is built with resiliency to ensure the high availability of the product and data.
- High Availability
We have multiple instances of our services running to ensure the high availability of our services for our customers.
- Highly Scalable DNS
Route users to the best endpoint based on geo-proximity, latency, health, and other considerations.
- Data Backup
Cloud snapshots are taken daily and retained, weekly and monthly, and the backups are available for one month for restoration.
- Incident & Breach Management
Procedures are established for reporting incidents and tracking them for timely communication, investigation, and resolution.
- Azure CDN
We use Azure CDN to make sure our application and customer documentation are served with speed and ensure that they are done from the nearest node.