Data Security

• All database servers are physically and logically separated from application servers to keep them accessible only from application servers.
• Our database servers are certified by PCI, HIPAA, and SOC, with security programs for finance, healthcare, government, and more.
• The platform operates in a Virtual Private Cloud in each of its certified data centers.
• All communication between servers is secured with security groups. These are analogous to an inbound network firewall. Security groups help in enabling the specific protocols, ports, and source IP ranges that are allowed to reach servers. These security groups determine which traffic is allowed to reach the servers.
• All of the server’s access is controlled by a PCI DSS Compliance Identity & Access Management policy, which restricts users to manage security groups and network policies without permission.

Encryption

• All data on the network during transit is encrypted with a TLS 2048-bit SSL certificate.
• Passwords are hashed before storing them in the database. The hashes remain resistant to any potential attacks
• Industry-standard and secure algorithms were used to generate a digitally signed token for URL-safe means of communication between two parties.

Application Security

• Industry-standard Authentication and Authorization algorithms are implemented to ensure the safe entry and role assignment to users
• Anti-Brute Force logic is implemented to prevent any potential attacks
• Mandatory peer review and static code analysis are done for every code change.
• Organization data is segmented at a spot level within Groupe.io and is only available to employees of the organization who have been explicitly authorized as admins of that spot.
• Admins can grant access to users with secure passcode & and multi-step verification and set password expiration schedules.
• Each user is identified by a combination of user account and device id and accessibility can be restricted with specific to device, geolocation, wifi, email.
• Administrators can revoke access to individual users and remotely wipe data from user’s device

Reliability

• Groupe.io operates state-of-the-art; is highly available; and is resilient to disasters, thanks to geographically distributed data centers. Although rare failures can occur that affect the availability of instances in the same geolocation, other data centers from a different region always ensure availability.
• Images are stored on the CDN and are replicated on multiple servers around the world to serve them to end-users with high availability and high performance.
• Only those within the company having a genuine business, need to know the actual location of data centers.
• To prevent unauthorized access, data centers are secured with a variety of physical controls like full-time on-site security personnel, 24/7/365 video surveillance, and strict physical access controls.

Admin Console

• Admins can grant access to users with a secure passcode and multi-step verifications.
• Security and accessibility preferences allow admins to restrict how and where users can access data. User accessibility can be restricted specific to device, geolocation, wifi, and email.
• Users using defamatory, offensive, mean-spirited content can be banned using the Admin Console.

Testing

• Mocha is used for test coverage reporting and for checking memory leak detection. This also ensures accurate reporting, while mapping uncaught exceptions to the correct test cases.
• Vulnerability assessments and Penetration tests are done based on the OWASP Application Standards and SANS- CWE

Audits

• Continuous Monitoring and reporting features were implemented, which extensively monitor activities on servers, generate priority-based notifications, captures activity logs, and remain available for querying logs for audit.
• Event loggers and hooks ensure all activities are recorded, monitored, and any event which is determined as critical, e.g. uncaught exceptions, fires a detailed mail to tech Teams.
• Server security policy changes are captured and logged, and email alerts are sent within a few minutes of any changes on existing policies.
• Groupe.io follows six months clear log comprehensive retention policy.

Contact us

If you have any questions, get in touch with us at [email protected], and we’ll get back to you right away.