Data protection
Nblocks is hosted in a Virtual Private Cloud (VPC) in Amazon Web Service (AWS). AWS data centers practice the highest standards in both physical and digital protection against data breaches and are certified with ISO 27001 amongst others. More information about the Data Protection of AWS can be found at https://aws.amazon.com/compliance/data-protection/
All application and database data both in transfer and at rest are encrypted and the only entry points to Nblocks infrastructure from the outside world are port 80 and 443. The sole purpose of port 80 is to gracefully redirect traffic to the encrypted HTTPS port 443.
Data in transit over open networks are encrypted using HTTPS/TLS.
On the infrastructure level access to production environments with databases and file storage are completely restricted. Only system administrators that are responsible for operation and maintenance can temporarily access data during a set time window, geographical place and key pair. This access is granted case by case by the CTO.
Vulnerability scans
We use an independent third party that continuously monitors our applications for known weaknesses and vulnerabilities. We also use AWS Trusted Advisor to scan and keep the infrastructure protection up to date.
Security patches
Nblocks reviews its frameworks and updates on a recurring basis with a monthly security review. Vital patches and upgrades are prioritized in our 2-week sprint schedule, and our team can initiate an escalated update of the system if a critical update is released from any framework used.
Development process
We work with code reviews, automated tests and vulnerability scans. The software includes automated tests that test known ways of penetrating the software and tries to access resources that should not be granted. Every code change is reviewed from a security perspective and only the CTO can approve a code change for a production release.