Security and data protection

OPEN SOURCE TO SUPPORT SECURITY

We believe it is strategic to rely on widely maintained and consolidated Open Source software components, avoiding where possible custom solutions that are difficult to maintain and not extensively tested. The “not invented here” and “security through obscurity” approaches are not part of our culture, even more than our systems.

INFRASTRUCTURAL AND APPLICATION BEST PRACTICES

Reliability, scalability and security were the reasons that led us to choose the market-leading Cloud Provider as a reference partner for our Cloud systems. The security of the applications released on AWS is guaranteed by the adoption of the best practices recommended by the same Cloud Provider, by data encryption (at the database level first of all, as well as on object storage and in any other data medium “at rest“) to communication between services (always on internal VPCs, and strictly on a secure SSL channel), up to user authentication (via OAuth 2.0 standard for system users, and company Single Sign-on with multi-factor authentication for the employee who intervenes on the infrastructure).

INFRASTRUCTURE-AS-CODE E RESILIENCE

The entire infrastructure is managed through a “declarative approach” in the definition of resources and their configuration: this enables robust automatic “disaster recovery” procedures, which allow to minimize the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) in case of distributed failure. We tend to periodically test these procedures to ensure that they are up to date and correct, commissioning periodic assessments to Cyber Security consultants outside the organization, to validate the technological choices and measures implemented to defend the platform perimeter.

PROTECTION OF THE COMPANY PERIMETER

The security of company computers and devices is guaranteed through disk encryption, biometric identification of the employee and complete remote management of the device fleet. Personnel authentication for access to internal and external company services takes place, where technically feasible, via Single Sign-On (SSO) via Google Suite Business: this guarantees us a single point of access to corporate communications and systems , with strict policies on password renewal and multi-factor identification. The access keys to systems that do not support integration with our SSO Provider are shared through a dedicated secret management service, which in turn can only be accessed via corporate SSO.

DATA PARTITIONING AND SECRET MANAGEMENT

The production and development environments are physically and logically independent, allowing us to severely limit access to real user data to strictly authorized personnel only for application and infrastructure maintenance activities. The application code and the secrets necessary for accessing the systems are always managed independently, using automatic procedures for the reconciliation of references to secrets during the software release phases in their respective environments. The use of a reliable and centralized secret management service (based on a “zero knowledge” architecture) allows us to automate the management of access keys and their periodic rotation.

AUDITING & DISTRIBUTED LOGGING

Any user activity in the system is tracked through application and system logs: on the one hand, activity tracking can help with troubleshooting, providing an accurate history of the activities performed and the respective responsibilities of developers, system administrators and/or end users; on the other hand, guaranteeing the compliance of our platform with the most recent rules imposed by the GDPR.

FURTHER CONSIDERATIONS ON THE GDPR ISSUE

All the activities described so far guarantee the safety standards required by the General Data Protection Regulation (GDPR) at any stage of the development and maintenance of the system. In addition to the technical choices aimed at minimizing the risk, the processing of the data is guaranteed with respect to the principles of lawfulness set out in the Regulation, in particular:

Purpose limitation: upon login, the user accepts the conditions of use of the data and agrees to the processing; in case of subsequent updates regarding the purpose of the processing, it is possible to request the user to re-submit the approval form; the form is specific to the system, since Sofia’s customer is configured as the Data Controller, and elects Sofia as the Data Processor;
Data minimization: we only collect relevant user data (ie, name, surname, email);
Accuracy: the described auditing and logging processes guarantee complete visibility on how the data is modified, and by whom;
Integrity and confidentiality: this is guaranteed by the activities discussed in the section Data partitioning and management of secrets;
Limitation of retention: to guarantee the user the so-called “right to be forgotten”, the user can request the removal of the personal data he/she owns from the platform at any time. Any data deriving from these (e.g., access logs, related activities and events) will be “pseudonymised”, no longer having a valid reference to trace the identity of the natural person. The application logs are removed within 90 days (“log rotation” period), as well as the backups: this guarantees the complete removal of the aforementioned data even in storage systems “derived” from production within the terms of the law;
Fair and transparent: Sofia’s customer remains the owner of the data, while the terms and conditions of use guarantee transparency on the purposes of the processing, in the manner described in the first point of this list.