The security policy below applies to our services
Safety is one of the most important priorities for us because it is fundamental to your experience with the product. We do everything we can to protect the data of your application so that the vulnerability of systems is eliminated and continuity of access is guaranteed.
We use a variety of technologies and services to protect your data against unauthorized access, disclosure, use and loss.
If you want to report a vulnerability or have any security issues with a Shiftbase product, please contact firstname.lastname@example.org. Add a proof of concept, a list of used tools (including versions) and the output of the tools. We take all disclosures very seriously. After we have received your submission, we will quickly validate each vulnerability before taking the necessary steps to resolve the issue. After verification, we regularly send out status updates as we are working on solving the issues.
Infrastructure and Network Security
Physical access control
We host our servers on Google Cloud Platform. Google’s data centres have a layered security model, including comprehensive security such as:
- Custom designed electronic entry cards
- Vehicle access barriers
- Environmental protection
- Metal detectors
According to the Google Security White Paper: “The data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case of incident occurs. Data centers are also routinely patrolled by professional security guards who have undergone rigorous background checks and training.”
We have no physical access to data centres, servers, network equipment or storage from Google.
Logical access control
Shiftbase is the assigned administrator of its infrastructure on Google Cloud Platform and only designated authorized Shiftbase administrators have access to configure the infrastructure as needed behind a two-factor virtual private network.
Google Cloud Platform regularly undergoes various external independent audits and can provide verification of compliance checks for its data centers, infrastructure and operations. This includes, but is not limited to, SSAE 16 compliant SOC 2 certification and ISO27001 certification.
Intrusion Detection and Prevention
Unusual network patterns or suspicious behaviour are among our biggest concerns for infrastructure hosting and management.
The intrusion detection and prevention systems (IDS / IPS) of Google Cloud Platform and CloudFlare are based on both signature protection and algorithm protection to identify traffic patterns that are comparable to known attack methods.
IDS / IPS involves closely controlling the size and composition of the attack surface, using intelligent detection at data input points. IDS / IPS is constantly being developed and new technologies are being applied so that dangerous situations are automatically resolved.
Business Continuity and Disaster Recovery
Every part of our service has redundant servers spread over multiple data centres (e.g. Multiple load balancers, web servers, backups).
We make daily backups of the database, which we store encrypted in multiple regions within the Google Cloud Platform. In the event of loss of production data, we can restore the data from these backups.
In the event of a failure of the entire region, we will start a duplicate environment in another region within the Google Cloud Platform. In case the entire Google Cloud is not available, we will then migrate to an alternative.
Your data can be managed and viewed over a secure HTTPS connection via our user interface and REST APIs. We can link to external applications on request so that you can merge data from our system with data from your other systems.
Data security and privacy
All data on our servers is automatically encrypted during storage.
Google Cloud Platform stores cryptographic keys and manages them in its redundant and globally distributed Key Management Service. Thus, if an intruder is ever able to access any of the physical storage devices, the data contained therein could still not be decrypted without the keys, making the information a useless jumble of random characters.
Encryption during storage also allows continuity measures, such as backup and infrastructure management, without compromising the security and privacy of data.
We only send data via HTTPS transport layer security (TLS) with encrypted connections for extra security during data transfer to and from the application.
Data retention and removal
We keep your data for as long as we have an agreement with you.
System logs are saved for 7 days.
We delete all your data 30 days after cancelling your agreement with us; any database backups are automatically deleted 60 days after your data has been deleted.
Data can be deleted and/or modified via our REST API and user interface.
Multi-Factor AuthenticationIn addition to logging in with an e-mail address and password combination, we also offer Multi-Factor Authentication (MFA), which adds an extra layer of security using a time-based one-time password algorithm (TOTP).
We advise all our customers to use up-to-date software. By this we mean that the operating system as well as the internet browser must be a recent version with the latest security updates.
REST API Authentication (API Key)
Our REST API uses personal authorization tokens or an API key for authentication. These tokens are sent via an Auth header to verify access to the REST API.
Part of our service is sending e-mail. Sender Policy Framework (SPF) is a system to prevent spoofing of e-mail addresses and to minimize incoming spam. We have set SPF records for e-mail via our domain name service (DNS), and "domain-based message authentication, reporting, and conformance (DMARC)" to prevent the possibility of phishing scams.
User management is a central part of security and management, and is the first step in securing your data.
Your account can be subdivided into Branches, Departments and Teams. The authorization of your users can be set through departmental roles. You can manage the roles and access rights in the user interface, so that you can specify who is allowed to do what.
Secure Application Development
Shiftbase uses continuous delivery (CD), which means that all code changes are recorded, tested, sent and iterated in a quick sequence. A continuous delivery methodology, supplemented with reviews of code changes, continuous integration (CI) and automated debugging, considerably reduces the chance of a security problem and improves the response time and the effective resolution of errors and vulnerabilities.
All our code changes are checked by a second developer and through CI for quality, bugs and vulnerabilities.
Then the changes to a pre-production environment are checked again. If everything works properly, one of our administrators can approve the change, after which an automated roll-out of the change takes place in the production environment.
We maintain a series of internal documents that together form the security policy for the organization. These are constantly supplemented, updated and checked annually for gaps.
All new employees receive onboarding and system training, including for the environment and permission settings, and an evaluation of the security policy.
All developers review the security policy as part of onboarding and are encouraged to review and contribute to the policy through internal documentation. Important updates are communicated by e-mail to all our employees.