Frequently Asked Question
From a technical point, we have both encryptions at the data transit level as well as on the servers at the rest level. At the data transfer level, we use SSL to ensure communication between server and client. This ensures also that data is transferred in an encrypted way. Only the receiver has access to the data. At the server and DB level, it is impossible to access from the outside, except for the admins, filtered by IP. Access is limited to permit only minimum access. Only people in the Montreal (Quebec, Canada) region have access to the servers, thus, no overseas employee has access to any production server. We also use Proxy SSH, so the admins need to connect by SSH to the DB. Finally, each time a server is accessed for other work than standard updating of code or DB (each time there is a modification to a server configuration), our key personnel immediately receive an email providing information on the access and the IP of the user. Since all admins use static IPs, should a non-recognized IP connection to the servers, we have a direct line with the technicians in the server rooms to discuss the options (shut connection, other). We do provide different authentication/access, including SSO for companies using this. We use several anti-virus tools as well as other security measures. Infrastructure is segregated by clusters. We use a combination of SELinux, a WAF-Firewall from Cloudflare, that enables us to protect and mitigate against some attacks of vulnerability, Injection SQL, Spam, Cross-site attacks, and brute-forcing. We also have some additional protection such as a Pre-firewall (filtering of data before it comes to the firewall, required for DDOS attacks), one firewall that is automatically enabled when a DDOS is detected, and finally, Armor, which is enabled when more advanced attack techniques are used.
A local firewall is also available which enables filtering by IP if required.
Finally, antivirus and intrusion detections are also used.
The disaster recovery plan includes the ability to transfer data to other servers and clusters rapidly. However, because of our current cluster setup, Redundancy is assured on a constant basis. Our plan has used IBM’s disaster recovery standard proposed plan. Natural disasters occur locally. Having people in northern Africa, the USA, India, Canada, and other places, we rely mainly on the fact that we can continue to work and operate from other places, should a natural disaster occur. From a product delivery, the clusters networks were designed to operate if an entire region (or two) was hit by a natural disaster.
From an organizational point, we have internal policies for security. For example, no employee outside of Canada or the USA has access to customer data or customer information. All employees are bound by confidential agreements. Access to production servers is strictly done from North America (mainly Canada). We conduct risk analysis on a regular basis. All servers are hosted in large protected sites providing security 24/7. We rely solely on large multinational server providers and we only use private dedicated servers.