It is easy to say you take security seriously, but when you’re entrusted by major corporations with strategic data you really do take security seriously! And while we’re proud that we’ve earned approvals from companies like Adobe, bwin.party, Cisco, RELX Group and Transamerica, we’re also humble and know that security practices are a moving target. Accordingly, we strive to be vigilant and update our systems to follow industry best practices in security.
Here is an FAQ of several of our most common questions / topic areas. Please contact us if you have any additional questions.
Hosting and Operations
|Risk Management Policies||Conteneo has formally defined HR and risk management policies designed to promote enterprise security practices. Enterprise customers may review these policies to ensure they comply with their guidelines.|
|Insurance||Conteneo maintains Commercial General Liability, Cyber-Liability and other forms of insurance.|
|Hosting||We host at secure facilities at Rackspace. Access to our servers are monitored and audited.|
|System Admins||Conteneo System Administrators manage the operations of the system (e.g., updating the software). System Administration access is tightly managed and controlled. Conteneo System Administrators also provision the domain names associated with Enterprise accounts.|
|Enterprise Admins||We define at least one Enterprise Administrator for every enterprise account. These people manage the public custom registration pages of each customer, enterprise frameworks (frameworks defined for the enterprise) and users. Additional roles are described below.|
System Architecture and Data Management
|OWASP Top 10 Vulnerabilities||As far as we know, Conteneo was the first enterprise application vendor to write all of our platforms in Scala/Lift, and indeed, we were and remain a major benefactor/support of David Pollak and the Lift team.
Lift is a “secure by design” user interface framework, with built-in safeguards to combat many of the OWASP Top 10 vulnerabilities. See: http://seventhings.liftweb.net/security.
For the remaining OWASP Top 10 vulnerabilities not explicitly managed by Lift:
A6: Conteneo has strict policies in place to prevent security misconfiguration, including maintaining currency on all aspects of our application stack.
A7: Passwords are stored using proper encryption. We do not store any credit card data but instead use Stripe.
A9: We use https and maintain proper certificates.
A10: We do not forward or redirect users to any page outside of our control. Facilitators can configure an “Exit URL” that takes participants to a specified URL after a forum is completed – but this Exit URL is under your control, not ours.
|Multi-Tenant||Our present architecture is multi-tenant. We are exploring single-tenant architectures in which individual customers could establish their own data management policies. If you require single-tenant support contact us and we’ll explore how we can help you accomplish this goal.|
|Backups||Because our present architecture is multi-tenant, our data management and backup policies are designed to support a balance between (a) normal users who delete something and might want it recovered AND (b) users who invoke their “Right to Be Forgotten” (Article 17 of the GDPR) and want confidence that deletions are securely erased through the backup process.
At present, our operational system is backed up by automatic Rackspace processes every few hours. These backups are stored in a circular queue lasting less than one week. Thus, short amount of time, (a) normal users who delete something and would like it recovered can be serviced. After 30 days, (b) users who want confidence that deletions are securely erased through the backup process are now confident that their data has been permanently erased.
This is a uniform data management policy which we believe is suitable for a multi-tenant architecture and has been deemed acceptable by our customers. It is also a policy that we believe is compliant with GDPR.
Note that we encourage customers to retain information in our system for as long as they deem valuable.