Are the systems and software used regularly subjected to a pen test?
Yes, external yearly pen tests are conducted.
Is customer data encrypted while in transit? (in motion)
All traffic sent over public networks is encrypted using industry standard encryption.
HTTPS involves a software certificate with a 2048-bit key size, signature algorithm SHA384 with RSA and TLS 1.2 support.
See https://www.ssllabs.com/ssltest/analyze.html?d=webapp.honestly.de for more information.
Is customer data encrypted at rest?
Yes, all data is encrypted at rest including offsite backups. Data is AES 256 bit encrypted.
Where are the backup locations (city and country)?
Backups are stored encrypted and run daily in a datacenter in Frankfurt, Germany (Offsite). Multiple availability zones.
Where are the data centers (city and country)?
Frankfurt, Germany. Multiple availability zones.
Is the system redundant?
Yes:
- Loadbalanced multiple redundant application instances, multiple redundant storage locations and multiple redundant database instances
- Offsite backups can be restored at any time
What is the recovery time in the event of server failure/damage?
Services are recovered automatically when instances die.
What kind of software development processes does Honestly use to produce secure software?
- Continuous integration & Continuous delivery incl. unit, functional and integration tests.
- Access to source code is limited on a need to know basis
- Access to source code is restricted per app and product
- All developers are continuously trained in regards to OWASP Top 10
- Other related literature regarding security
What kind of logging facilities does Honestly use?
- State of the art security monitoring and logging
- Central application and web server level logging
Are Honestly data centers certified?
See https://aws.amazon.com/de/compliance/programs/ & https://aws.amazon.com/de/compliance/programs/
How is physical security regulated in the data centre?
See https://aws.amazon.com/de/compliance/programs/ & https://aws.amazon.com/de/compliance/programs/
How do you protect your systems against security vulnerabilities?
- Systems are scanned for vulnerabilities regularly (daily)
- System security patches are applied within 24 hours
- Critical software security patches are applied within 24 hours
- Packages are scanned automatically in Continuous integration
- Complete server scans are conducted (port, virus, firewall, file...)
- Instances are scanned weekly
- Logs are analyzed and users are banned automatically based on failed attempts
Are your employees aware of their obligation to maintain the confidentiality of all customer data?
Yes:
- NDAs are in place with all employees
- Annual training for all employees on data privacy with follow up test and documentation
- Other awareness trainings like simulated phishing attacks are implemented
In which countries is customer data stored and processed?
All Honestly Servers are located in Germany. Email notifications are sent via Mailjet with data centers in the European Union.
How does the private app registration via MDM work?
This description applies to clients who use their own MDM system to rollout Honestly Engage to its employees. To associate each employee with the client’s account a secret randomly generated account token is pushed (encrypted) to each employee’s device via Apple’s managed app configuration feature. On first start the Engage App sends this account token to Honestly’s server. During this encrypted registration process a new app instance is generated together with a secret access token which is used by the app in the future to authenticate. The generated app instance is associated to the client’s account using the account token.
How do you deal with authentication & authorization?
We support email address and password login. We also support SSO login. We support multiple roles and admins can give users access on segments of employee data. The separation of permissions are done on a logical level.
Data flow and architecture:
