At Applicaster, our customer’s security is a top priority. We constantly invest in securing our customers’ data, eliminating vulnerabilities and ensuring high availability.
Applicaster employs industry standard technologies and practices to secure your data from unauthorized access, disclosure or data loss. Our security & operation teams work together to ensure our product is always available for use and always safe from misuse.
As part of the Applicaster’s focus on security we perform the following on regular basis:
Monitoring and analyzing the infrastructure for suspicious activity and potential threats.
Performing internal reviews.
Updating our security model and to address new threats.
Systematically examining our security risks, threats and vulnerabilities.
Designing and implementing a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address the risks that are deemed unacceptable.
Adopting an overarching management process to ensure that the information security controls continue to meet the organization's evolving information security needs.
Physical Access Control
The Applicaster platform is hosted on AWS. AWS data centers feature the highest standard of security and compliance as detailed in https://aws.amazon.com/security/ and https://aws.amazon.com/compliance/. The physical security controls are constructed in such a way as to eliminate the effect of single points of failure and retain the resilience of the computing center.
Logical Acces Control
Our infrastructure leverages the “Infrastructure-as-code” pattern using Terraform. All infrastructure changes are peer reviewed, logged and audited. A nightly check will alert in case of any deviation from the infrastructure blueprint that is checked in git. Direct access to the infrastructure is only possible by a handful of our most senior engineers, and is only exercised in cases of emergency. This access is only possible using additional authentication factors such as specific IPs, VPNs and 2FA devices.
Intrusion Detection and Prevention
Applicaster uses AWS’s GuardDuty and extensive logging tools to detect patterns of suspicious behaviour. We regularly examine those findings and change our infrastructure, applications and security measures to decrease our exposure and risk.
All communication with Applicaster’s backend systems is done over TLS. Applicaster uses the latest recommended cipher suite to maximize security while supporting the required client application platforms. We benchmark our TLS implementations using Qualys SSL Labs. Applicaster’s certificates are rotated on a regular basis with renewals logged in Certificate Transparency.
Every component of the Applicaster platform is deployed with redundant capacity to accomodate events of high traffic or local system failures. We invest considerable engineering effort to ensure our systems are built without any single points of failure. All servers are disposable and are constantly being replaced by AWS’s auto-scaling groups.
Applicaster keeps hourly encrypted backups of all data. In the extreme event of production data loss we will restore all customer data from these backups.
If you would like to report a vulnerability or have any security concerns with Applicaster’s platform please contact the security team at firstname.lastname@example.org.
Please include enough detailed information that will allow us to verify the vulnerability, such as tools used and their outputs, exposed DNS addresses and ports, CVE identifiers, etc.
Applicaster realizes that the malicious activities of an insider are a risk to data confidentiality and system availability and has therefore put policies and procedures in place concerning the hiring of personnel with access to important and crucial systems. Employee permissions are periodically revised to ensure least-privileged access.
Applicaster ensures its employees are made aware of the security risks that our company is exposed to by the nature of it’s operation by means of constant discussion of security threats and the tools and behaviours to mitigate them. Applicaster’s culture of transparency & shared communication tooling encourages all employees to report on suspicious activities noticed.
Application Development Lifecycle
Applicaster is committed to the industry’s best practices for software development, as such we practice continuous integration (CI) and continuous delivery (CD) whenever possible. We also practice mandatory code review on all code bases, automated error tracking and production instrumentation. These practices provide for a better, less vulnerable, codebase with shorter time-to-fix of bugs, capacity and security issues.
To handle security or availability incidents Applicaster maintains a procedure for urgent operational issues. The procedure ensures fast access to the required company personnel, constant reporting back to the company’s operations team.
The procedure includes clear instructions on communicating the incidents to any involved party and handle escalations. The procedure is reviewed after every incident and due to changes in people, systems and the nature of the operating environment.