Buopso's Software as a Service (SaaS) offerings to solve their business concerns. The importance of security is represented in all aspects of our business, including people, procedures, and products. This page explains how we provide security to our clients by discussing subjects including data security, operational security, and physical security.
The following elements make up our security plan.
Control of identity and access
Management of incidents
Customer security controls
We have a system in place called the Information Security Management System (ISMS) that considers our security goals as well as the risks and mitigations affecting all interested parties. For the security, accessibility, processing, integrity, and confidentiality of customer data, we follow stringent policies and processes.
Background checks on employees
Background checks are performed on every employee. We contract with reputable outside companies to carry out this check on our behalf. We conduct this to confirm their educational background, prior employment history, and criminal histories, if any. Tasks that could endanger users are not given to the employee until this check has been completed.
Each employee receives training in information security, privacy, and compliance after they are hired and sign a confidentiality agreement and approved usage policy. Additionally, we assess their comprehension through examinations and quizzes to identify which subjects require extra instruction. We offer training on particular security topics that they might need depending on their roles.
To keep them informed about the security procedures of the company, we continuously educate our staff on information security, privacy, and compliance in our internal community, where our employees often check in. To promote awareness and foster innovation in security and privacy, we also hold internal events.
Teams with a focus on privacy and security
Our security and privacy programs are implemented and managed by specialised security and privacy teams. They design and manage our defence systems, create security review procedures, and constantly watch our networks for unusual activities. They advise our engineering teams and offer consulting services that are domain-specific.
Internal review and adherence
Our specialised compliance team examines Buopso policies and procedures to make sure they adhere to standards and to identify what controls, procedures, and systems are required to satisfy those standards. Additionally, this team performs routine internal audits and supports impartial audits and evaluations by other parties.
Check out our compliance portfolio for more information.
All workstations provided to Buopso staff are set up with antivirus software and run the most recent OS version. They are set up to meet our security standards, which call for all workstations to be correctly set up, patched, and tracked and monitored by Buopso's endpoint management tools. Because they are set up to encrypt data at rest, use strong passwords, and lock themselves when not in use, these workstations are safe by default. To make sure they adhere to our security standards, mobile devices used for business purposes are enrolled in the mobile device management system.
at the office
With the use of access cards, we regulate access to our resources (buildings, infrastructure, and facilities), where accessing comprises consumption, entry, and utilisation. We issue distinct access cards to employees, contractors, vendors, and guests, and these cards only permit access for the purposes for which they entered the premises. The team in charge of human resources (HR) creates and updates the roles' specific goals. We keep access records to identify and handle anomalies.
During Data Centres
In our data centres, a co location provider is in charge of the structure, the power, the cooling, and the physical security while we supply the servers and storage. A select few authorised individuals are allowed access to the Data Centres. Any further access must be requested as a ticket and is only granted with the consent of the appropriate managers. To enter the building, further two-factor authentication and biometric authentication are needed. In case of an incident, access logs, activity data, and camera video are available.
We use CCTV cameras that have been installed in accordance with local rules to monitor all entry and exit movements across our buildings in all of our business centres and data centres. Depending on the needs for that site, backup footage is accessible for a specific amount of time.
Our network security and monitoring methods are created to offer various defences and layers of protection. We employ firewalls to shield our network from unwanted traffic and unauthorised access. To safeguard sensitive information, our systems are divided into distinct networks. Those supporting Buopso's production infrastructure are hosted in a different network from those supporting testing and development activities.
We keep a stringent, consistent schedule for monitoring firewall access. Every day, a network engineer reviews all modifications made to the firewall. Additionally, the rules are updated and revised after reviewing these changes once every six months. Our devoted Network Operations Centre team keeps an eye on the apps and infrastructure for any anomalies or suspicious activity. Using our unique solution, we continuously monitor all important metrics, and whenever there are any unusual or suspicious behaviours in our production environment, notifications are triggered.
Redundancy in a network
Our platform's components are redundant with one another. To protect our system and services from the effects of potential server failures, we adopt a distributed grid architecture. Users won't be affected if a server goes down because they will still have access to their data and Buopso services.
To achieve device-level redundancy, we also deploy numerous switches, routers, and security gateways. The internal network is shielded from single-point failures as a result.
For the purpose of preventing DDoS assaults on our servers, we employ technology from reputable and well-established service providers. These systems provide a variety of DDoS mitigation features to stop disturbances brought on by harmful traffic while letting good traffic pass. This maintains the high availability and performance of our websites, applications, and APIs.
All servers set up for testing and development purposes are hardened (by blocking unneeded ports, deleting default passwords, etc.). For consistency across servers, the base Operating System (OS) image is provisioned in the servers and includes server hardening.
Detection and prevention of intrusions
Both host-based signals from specific devices and network-based signals from monitoring points on our servers are noted by our intrusion detection system. On all servers in our production network, administrative access, the use of privileged commands, and system calls are all recorded. Security engineers receive warnings of potential incidents thanks to rules and artificial intelligence that are constructed on top of this data. We have a unique WAF that runs on both whitelist and blacklist rules at the application layer.
Scrubbing, network routing, rate limitation, and filtering are used at the Internet Service Provider (ISP) level to handle attacks from the network layer to the application layer. This system offers dependable proxy service, clean traffic, and quick reporting of assaults, if any.
Design for security
A change management policy controls each update and new feature to guarantee that all application changes are approved before being put into production. Our Software Development Life Cycle (SDLC) requires adherence to secure coding standards as well as manual review methods, vulnerability scanners, and tools for analysing code modifications for potential security flaws.
Our strong security architecture, which is built on OWASP standards and applied at the application layer, offers functionality to counteract threats like SQL injection, cross-site scripting, and application layer DOS attacks.
For our clients, our framework manages and distributes cloud storage. Using a collection of secure protocols built into the framework, each customer's service data is logically segregated from that of other customers. As a result, no customer's service information is made available to another customer.
When you use our services, the service data is saved on our servers. You are the owner of your data, not Buopso. Without your permission, we do not disclose this information to any outside parties.
All client data that is transmitted to our servers over open networks is securely encrypted during transit. We require Transport Layer Security (TLS 1.2/1.3) encryption with robust cyphers for all connections to our servers, including online access, API access, mobile app access, and access through IMAP/POP/SMTP email clients. By enabling the authentication of both parties participating in the connection and encrypting the data being exchanged, this guarantees a safe connection. Additionally, our services use opportunistic TLS by default for email. Where peer services offer TLS, it secures email delivery while preventing eavesdropping between mail servers.
With our encrypted connections, we fully support Perfect Forward Secrecy (PFS), ensuring that no prior communication could be decoded even if we were to become compromised in the future. All of our web connections have the HTTP Strict Transport Security header (HSTS) enabled. Regardless of whether you write a URL to an insecure page on our website, this instructs all current browsers to only connect to us via an encrypted connection. Additionally, we mark all of our authentication cookies as secure on the web.
Sensitive client data is protected using the 256-bit Advanced Encryption Standard (AES) when it is at rest. Depending on the services you use, different data may be encrypted while at rest. We use our internal Key Management Service (KMS) to own and maintain the keys. By employing master keys to encrypt the data encryption keys, we create further layers of protection. The data encryption keys and master keys are kept on separate servers with restricted access and are physically separated.
Please click here for more information on Buopso's encryption policies and here to learn more about the types of data we encrypt for our customers.
Retention and deletion of data
During the time that you choose to utilise Buopso Services, we keep the data in your account. Your data will be removed from the active database when you cancel your Buopso user account during the upcoming clean-up, which takes place once every six months. After three months, the data that was destroyed from the live database will also be removed from the backups. We reserve the right to delete your unpaid account if it has been inactive for 120 days straight, after giving you advance notice and the chance to back up your data.
The disposal of obsolete equipment is handled by a trusted and authorised vendor. We classify them and keep them in a safe place till then. Before being discarded, all data on the devices is formatted. We use a shredder to physically destroy failing hard drives after degaussing them. Failed Solid State Devices (SSDs) are crypto-erased and destroyed.
Control of identity and access
SSO (Single Sign-On)
Single sign-on (SSO) is a feature offered by Buopso that enables users to sign in once and access a variety of services. Only our integrated Identity and Access Management (IAM) service is used when you log in to any Buopso service. We also support SAML for single sign-on, enabling users to integrate their organization's identity provider, such as LDAP or ADFS, when logging into Buopso services.
SSO makes the login process simpler, guarantees compliance, offers efficient access management and monitoring, and lowers the risk of password fatigue and weak passwords as a result.
Authentication with many factors
By requiring an additional verification in addition to the password that the user must have, it adds an extra degree of security. This can significantly lower the possibility of unauthorised access in the event that a user's password is stolen. Using Buopso One-Auth, you may set up multi-factor authentication. Various options are currently available, including biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP.
As a second element in multi-factor authentication, we also support Yubikey Hardware Security Key.
We use internal rules and technology access controls to prevent staff from accessing user data at will. To reduce the danger of data disclosure, we use the principles of least privilege and role-based permissions.
Strong passwords, two-factor authentication, and passphrase-protected SSH keys are used in combination to authorise access to production environments, which is managed by a central directory. Additionally, we enable such access through a different network with stronger regulations and hardened hardware. We also regularly audit all the operations and log them all.
Monitoring and Logging
We track and examine data from services, internal network traffic, and usage of devices and terminals. Event logs, audit logs, fault logs, administrator logs, and operator logs are the formats in which we keep track of this data. In a fair amount, these logs are automatically watched and analysed to assist us spot anomalies like attempts to access customer data or strange activity in employee accounts. In order to administer access control centrally and guarantee availability, we store these logs on a secure server that is segregated from full system access.
Customers get access to thorough audit logging for every update and delete actions taken by the user in any Buopso service.
Management of vulnerabilities
We have a dedicated vulnerability management approach that actively looks for security risks utilising both automatic and manual penetration testing, as well as a combination of certified third-party scanning tools and in-house solutions. Furthermore, in order to discover security issues that can have an impact on the organization's infrastructure, our security staff actively evaluates incoming security reports and keeps an eye on public mailing lists, blog posts, and wikis.
As soon as we locate a vulnerability that needs to be fixed, it is recorded, given a severity rating, and given an owner. We further analyse the risk factors involved and monitor the vulnerability until it is patched or the appropriate controls are implemented.
Spam and malware defense
Our automated scanning technology, which is intended to prevent malware from spreading throughout Buopso's ecosystem, is used to scan all user files. Our proprietary anti-malware engine examines files for malicious signatures and malicious patterns and receives regular updates from external threat intelligence sources. Additionally, we use a proprietary detection engine and machine learning methods to secure consumer data from malware.
In order to stop spam, Buopso offers Domain-based Message Authentication, Reporting, and Conformance (DMARC). SPF and DKIM are used by DMARC to validate the authenticity of messages. For the purpose of detecting misuse of Buopso services, such as phishing and spamming, we also employ our own unique detection engine. We also have a specialised anti-spam staff that keeps an eye on the software's signals and responds to abuse reports.
Click here for additional details.
Using the Buopso Admin Console (BAC) for Buopso's DCs, we run incremental backups of our databases every day and full backups every week. The DC stores backup data in the same place and encrypts it using the AES-256 bit technique. They are kept in the tar.gz format. For a period of three months, all backup data are kept on file. We will restore client data and give secure access to it if a request for data recovery is made within the retention term. The size and complexity of the data will determine how long it takes to restore the data.
We utilise a redundant array of independent discs (RAID) in the backup servers to assure the security of the backed-up data. All backups are regularly scheduled and monitored. If there is a problem, a new run is started and it is rectified right away. The BAC programme performs the integrity and validation checks of the entire backups automatically.
We strongly advise you to export your data from the appropriate Buopso services and store it locally in your infrastructure in order to schedule frequent backups of your data.
Recovery from disasters and business continuity
Application data is kept on replicable, resilient storage that spans several data centres. Near real-time data replication from the primary DC to the secondary DC. In the event that the primary DC fails, the secondary DC assumes control, allowing the activities to continue smoothly with little to no downtime. Multiple ISPs are available at both centres.
As physical safeguards to assure business continuity, we have fire-prevention systems, temperature control systems, and backup power systems. We can build resilience thanks to these strategies. We have a business continuity strategy in place for our main operations, such as support and infrastructure management, in addition to data redundancy.
Management of Incidents
Our incident management team is committed. We let you know about any situations in our environment that concern you, along with any necessary steps you might need to take. We keep track of issues and take the necessary corrective measures to close them. When appropriate, we will locate, gather, obtain, and give you the necessary proof—in the form of application and audit logs—about incidents that pertain to you. In addition, we put controls in place to stop similar circumstances from happening again.
When you email firstname.lastname@example.org to report a security or privacy incident, we take it very seriously. We will alert users about general issues via our blogs, forums, and social media. When an event is related to a single user or an entire organisation, we will email the affected party to let them know (using the organisation administrator's registered email address as the primary email address).
Notice of a breach
The General Data Protection Regulation (GDPR) requires that, as data controllers, we notify the relevant Data Protection Authority of a breach within 72 hours of becoming aware of it. When necessary, we also notify the consumers based on any specific requirements. As data processors, we promptly notify the relevant data controllers.
To reach the community of researchers, a vulnerability reporting programme called "Bug Bounty" is in place, which appreciates and pays the efforts of security researchers. We're dedicated to collaborating with the community to confirm, replicate, address, and put into place the proper fixes for the reported vulnerabilities.
Please report any problems you encounter at email@example.com
Management of vendors and third-party suppliers
Our vendor management policy serves as the basis for how we assess and qualify our vendors. After doing risk analyses and learning about their service delivery procedures, we onboard new vendors. By establishing contracts that obligate the vendors to uphold the confidentiality, availability, and integrity pledges we have given to our clients, we take the necessary steps to ensure that our security position is maintained. By periodically reviewing their controls, we keep track of how well the organization's processes and security measures are working.
Customer security controls
We have talked about what we do to provide our clients with security so far on a variety of fronts. The following actions can be taken by customers to ensure security on their end:
Select a secure password that is distinct, and guard it.
Put multi-factor authentication to use.
To ensure that mobile applications are protected against vulnerabilities and using the most recent security features, utilise the most recent browser and mobile operating system versions.
When exchanging data from our cloud environment, take necessary measures.
Sort your data into personal or sensitive categories and give it the appropriate labels.
Manage roles and privileges for your account and keep an eye on devices connected to your account, current web sessions, and outside access to identify any unusual activity.
Watch out for unexpected emails, websites, and links that could be phishing or malware attempts to steal your private information by pretending to be Buopso or other services you trust.
Read our post on Understanding shared responsibility with Buopso to find out more about how you can collaborate with them to create a secure cloud environment. We offer a comprehensive study of the shared responsibility model and how Buopso's users can cooperate with one another and assume personal accountability for cloud security and privacy.
Your right to data security is one thing, and Buopso's constant goal is another. As always, we will put a lot of effort into maintaining the security of your data. Email at firstname.lastname@example.org if you have any additional questions about this subject.