Information Risk Assessment:
We have implemented and/or assessed the following points to ensure information security:
Role-based access / authorization: We have verified through different use cases that one user is unable to access data of another user, regardless of roles. This same delineation of access exists between different organizations.
Registration process: We have made the registration process semi-automated. That is, all user types must be invited by another user with administrative privileges. Nobody from outside the network can simply register and use the system.
User login failure messages: If a user fails to log in with the correct credentials, our system does not reveal whether the user exists. This ensures that account usernames/emails are not guessable.
Password policy: We require complex passwords for new users. We have put in place a policy that requires all users to change passwords every six months.
File access: We store all files over cloud servers using Amazon Web Services (AWS), which are only accessible in the following ways:
Via direct console login on AWS - Only our two lead programmers and our cofounders have this access.
Via the application - Each user can only delete files that he/she has previously uploaded himself/herself.
Developed on RoR: Our web application framework is developed on Ruby on Rails (RoR). By default, use of Rails results in certain security measures, such as cross-site scripting, sessions and cookies, and secure parameters in the request.
Third Party Penetration/Vulnerability Scans:
We are continually conducting penetration testing to ensure that our security meets expectations. We have a third party QA specialist who can produce a complete penetration testing report within 8-10 business days. Please let us know if this will be necessary.
Disaster Recovery Plan:
As of now, the structure of our disaster recovery plan is as follows:
Codebase residence: The codebase resides on AWS cloud server, which is one of the most secure storage services in the industry.
AWS server enhancements: Through AWS, we have invested further in our cloud server by implementing “versioning” to ensure that nothing is deleted at any given point in time.
Codebase audit: We performed a full audit of the codebase to verify any required changes to security, such as SQL DB queries, request authorization, etc.
As a result of the audit, we implemented CanCanCan, the authorization Gem for Ruby on Rails.
Deployment server: The deployment server also resides on a widely used, industry-standard cloud platform.
This is accessible via verified SSH only.
For verification, end users’ SSH keys need to be added to their web application first, and then someone can use it via SSH.
As an additional step, we have scheduled backups of the database.
Covered by $1,000,000 of professional liability/E&O insurance coverage