Security and data protection

INFRASTRUCTURAL AND APPLICATION BEST PRACTICES

Reliability, scalability and security were the reasons that led us to choose the market-leading Cloud Provider as a reference partner for our Cloud systems. The security of the applications released on AWS is guaranteed by the adoption of the best practices recommended by the same Cloud Provider, by data encryption (at the database level first of all, as well as on object storage and in any other data medium “at rest“) to communication between services (always on internal VPCs, and strictly on a secure SSL channel), up to user authentication (via OAuth 2.0 standard for system users, and company Single Sign-on with multi-factor authentication for the employee who intervenes on the infrastructure).

INFRASTRUCTURE-AS-CODE E RESILIENCE

The entire infrastructure is managed through a “declarative approach” in the definition of resources and their configuration: this enables robust automatic “disaster recovery” procedures, which allow to minimize the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) in case of distributed failure. We tend to periodically test these procedures to ensure that they are up to date and correct, commissioning periodic assessments to Cyber Security consultants outside the organization, to validate the technological choices and measures implemented to defend the platform perimeter.

AUDITING & DISTRIBUTED LOGGING

Any user activity in the system is tracked through application and system logs: on the one hand, activity tracking can help with troubleshooting, providing an accurate history of the activities performed and the respective responsibilities of developers, system administrators and/or end users; on the other hand, guaranteeing the compliance of our platform with the most recent rules imposed by the GDPR.

FURTHER CONSIDERATIONS ON THE GDPR ISSUE

All the activities described so far guarantee the safety standards required by the General Data Protection Regulation (GDPR) at any stage of the development and maintenance of the system. In addition to the technical choices aimed at minimizing the risk, the processing of the data is guaranteed with respect to the principles of lawfulness set out in the Regulation, in particular:

• Purpose limitation: upon login, the user accepts the conditions of use of the data and agrees to the processing; in case of subsequent updates regarding the purpose of the processing, it is possible to request the user to re-submit the approval form; the form is specific to the system, since Sofia’s customer is configured as the Data Controller, and elects Sofia as the Data Processor;
• Data minimization: we only collect relevant user data (ie, name, surname, email);
• Accuracy: the described auditing and logging processes guarantee complete visibility on how the data is modified, and by whom;
• Integrity and confidentiality: this is guaranteed by the activities discussed in the section Data partitioning and management of secrets;
• Limitation of retention: to guarantee the user the so-called “right to be forgotten”, the user can request the removal of the personal data he/she owns from the platform at any time. Any data deriving from these (e.g., access logs, related activities and events) will be “pseudonymised”, no longer having a valid reference to trace the identity of the natural person. The application logs are removed within 90 days (“log rotation” period), as well as the backups: this guarantees the complete removal of the aforementioned data even in storage systems “derived” from production within the terms of the law;
• Fair and transparent: Sofia’s customer remains the owner of the data, while the terms and conditions of use guarantee transparency on the purposes of the processing, in the manner described in the first point of this list.