We practice a risk management strategy and follow industry standard security practices including:
User Authentication
Validaide makes use of a specialized 3rd party authentication service called Auth0. In Auth0, passwords are always hashed and salted securely using bcrypt. Both data at rest and in motion is encrypted - all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
We have a strict user password policy based on OWASP recommendations, including a minimum password length of 10 characters and use of different special characters. Furthermore, we safeguard our users with default email verification at account creation time and during password resets.
Server Infrastructure
The Validaide production environment is outsourced to our hosting provider ShockMedia B.V in The Netherlands, which is ISO27001 and NEN7510 certified. We have a Service Level Agreement that covers the following security aspects:
- Servers are firewalled and require encrypted logins to access.
- 24/7 pro-active server monitoring.
- Continuous security monitoring and immediate installation of security updates and patches to fix security vulnerabilities.
- Encryption of browser connection using valid SSL certificates.
- Daily backups with retention of 7 days, as well as weekly backups with retention of 4 weeks.
The Validaide servers are physically co-located at the hardened data center Previder PDC2 in Hengelo, The Netherlands. The data center is ISO27001, ISO9001, ISO14001 and NEN7510 certified.
Comments
0 comments
Please sign in to leave a comment.