Security - Your Data is Safe

Published on the 2022-05-01 22:00 +0Updated on the 2022-06-16 19:56 +0

Wide Angle Analytics gives you the ability to process personal data. One of our founding principles is to keep you in control and offer you flexibility and options. Since we process Personal Data, we need to adhere to utmost security standards and handle your and your users' data with great care. We approach our security measures from multiple facets.

But first, a quick summary:
✅ Data is encrypted when transmitted over the Internet.
✅ Personal Data is encrypted when sent between internal services
✅ Customers and end-users information are Encrypted-At-Rest.
✅ Backups are encrypted.
✅ Access to the network is strictly controlled and requires authenticated, encrypted communication.

When designing and implementing the Security Policy we focused on four core aspects:

  • Security
  • Confidentiality
  • Availability and Resiliency
  • Legal and Physical Protection

Security

Network Security

Network security is a vast domain that requires special attention. Therefore, we approach network security on multiple layers.

First, the access to the network and servers is controlled via the OVH managed firewall. That creates separation between external, Internet-facing services and internal systems, which form Wide Angle Analytics.

Secondly, Wide Angle Analytics operates within its own Private Virtual Network. This network assures no unauthorised third party within OVH could reach servers storing customer data. The exception is the OVH Support but only when explicitly instructed by our staff.

Thirdly, a node-level firewall adds a layer of protection by assuring that only authorised endpoints can get access to the service on the Virtual Machine Operating System level.

Limited Access

Access to the service requires authentication and authorisation. Non-authenticated users cannot reach any service that has access to your or your customers' data.

Administrative and operational access to Wide Angle Analytics services is strictly limited to encrypted VPN connections.

All internal services require authentication using strong credentials when exposed to the user or visitor data. We rotate passwords to our internal services on a schedule.

User Password Management

Wide Angle Analytics operate Zero-Factor authentication. We do not use passwords. Instead, your email is your username, and each time you log in, you will receive a temporary login link. That login link is valid only for 10 minutes.

Once logged in, your access token is safely stored in your browser cookie. This cookie will remain valid for 30 days unless you explicitly request log-out.

The browser design and carefully selected cookie parameters guarantee that this sensitive cookie will not be shared with any third party, nor can it be read by malicious javascript.

Service Password Management

Administrators and Operators use an off-site password storage mechanism and secure these with a strong encryption algorithm, the AES256. The vault and its persistence follow an end-to-end encryption process, and passwords are never transmitted or stored insecurely.

Administrative Access

Operators with elevated administrative access require an encrypted VPN connection which supports Multi Factor Authentication.

Confidentiality

We take Personal Data processing very seriously. We have implemented multiple security measures to ensure that your and your users' data are safe.

Encryption In Transit

Every piece of information that relates to you, the customer or your visitor, the end-user, is encrypted when passing between servers.

Firstly, every access to our Internet services requires an HTTPS connection—we leverage Let's Encrypt to secure all our domains. Likewise, we will request an SSL certificate from Let's Encrypt when you connect a custom domain to Wide Angle Analytics. The data between the browser and Wide Angle Analytics will always travel encrypted until it reaches our internal, secure service.

In the section about networking, we mentioned that we use a private network to separate our services from the rest of the OVH network. In addition to that, we also use a secure SSL connection between our internal services when Personal Data is exchanged.

Internal communication depends on the Input Objects Certificate Authority. We control certificate generation, signing and revocation. To assure maximum security, we leverage Hardware Security Module, which prevents the secret key from ever being compromised.

Encryption While Processing

When processing data and while serving analytics and reports for you and your organisation, we need to be able to access the data. As such, at this point, data is not encrypted.

Encryption At Rest

Every system that stores customer or visitor personal data, such as our database, analytics engine and messaging platform, uses encrypted (AES-XTS) data volumes. Credentials necessary to unlock these disks are stored off-site.

In the unlikely scenario when disks are stolen or incorrectly handled by the cloud operator, the data will remain secure and inaccessible to unauthorised third parties.

Backup Encryption

Your organisation's back-office data and details are backed up encrypted and follow Encryption At Rest approach, as described in the previous section.

The events recorded on your behalf follow a different approach. First, the event data is encrypted using the XSalsa20 stream cypher and authenticated with Poly1305 MAC. A secret used to encrypt this data is subsequently encrypted using Asymmetric cryptography. This approach allows us to back up your events in time intervals and follow good practice of secret key rotation.

Encrypted batches of events are subsequently securely transferred to long term storage in a different data centre of the same operator. A copy of your data is safely stored off-site and can be restored during the Disaster Recovery procedure.

Service Availability and Resiliency

DDoS protection

The OVH infrastructure offers built-in DDoS protection. This way, we are impervious to most of the coarse DDoS attacks.

In addition, our services use rate-limiting, preventing abuse and event-based attacks.

Scalability

By leveraging the public cloud of one of the biggest cloud providers, we can quickly scale our infrastructure. In addition, by using the elastic, auto-scaling deployment of crucial services, we can easily handle unexpected traffic bursts and grow infrastructure to meet our customer needs accordingly.

Backup and Recovery

Back-office data and customer information are backed-up daily and stored for multiple days.

We maintain a full backup of the recorded events. In the event of partial or complete failure or disaster, these events can be replayed and re-introduced to the platform.

Depending on downtime duration and the number of customers affected, disaster recovery time will vary.

Legal and Physical Protection

Data Sovereignty

All our services reside within OVH Public Cloud. In addition, we explicitly host our data and services on EU based servers. With OVH, we can assure you that we have complete control over the data we process on your behalf.

Furthermore, following the principle of Data Sovereignty, we store and process data in a country where the legal framework guarantees compatibility with GDPR rules.

Datacenter Security

OVH SAS Public Cloud infrastructures and services are ISO/IEC 27001, 27017, 27018 and 27701 certified.

If you have any further questions about our security practices, don't hesitate to contact our support.