Security

At Etlworks we take security and data protection very seriously. Figure below illustrates layers of security between your data and the bad guys.

Security Layers

Perimeter Protection

Perimeter security addresses security at the periphery of any private network, right where it connects to public Internet. Firewalls and other elements of the perimeter protection infrastructure enforce access control policies that govern which information enters and leaves the network.

We install and configure the following elements of the perimeter protection infrastructure:

Policies:

Perimeter Protection

Authentication and Access Control

User Authentication

User must be authenticated to access any of the resources within Integrator, including but not limited to:

Integrator uses JWT based security, which is completely stateless and does not use sessions or cookies.

Access Control

Integrator implements role-based access control (RBAC). In Role-Based Access Control, access decisions are based on an individual's roles and responsibilities within the user base.

In Integrator each user can be assigned one role.

The following roles are available:

Role Based Security

Policies:

Encryption

We encrypt all sensitive information transmitted to and stored on our servers.

Encryption during transmission

Since only SSL connections to the Integrator back-end are allowed - inbound and outbound traffic is automatically encrypted.

Encryption of the secure credentials

In Integrator all passwords, access keys, and other secure credentials are encrypted by strong encryption algorithm with 512-bit private key.

Encryption of files

In integrator you can configure flows to store all files in the encrypted archive. This policy is not enforced.

Encryption of the JWT tokens

In Integrator JWT tokens are hashed using strong encryption algorithm with 512-bit private key.

Application security

Application security encompasses measures taken throughout the code's life-cycle to prevent gaps in the security policies of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application.

Static code analyzing for security vulnerabilities

Every build of the Integrator triggers automatic run of the static code analyzer, configured to identify maximum number of potential security exploits in the code.

Potential security vulnerabilities can prevent from completion of the build. If build is not successful, the manual intervention is required, followed by analyzing and fixing of the vulnerabilities on case-by-case basis.

Continues Integration (CI) and Continues Deployment (CD)

Every commit to the version control triggers running of the unit tests, and every build of the Integrator triggers running of the comprehensive set of unit and integration tests. About 30% of all tests are dedicated to the security.

Any error in any of the tests causes build to fail. All bugs in the code, identified by the tests, must be fixed before build can continue.

Scheduled, bug free builds, are getting automatically deployed to the designated environments. The deployment is atomic - all or nothing, and must be manually scheduled after application passes quality control in the staging environment.

Protection for the API endpoints

All API endpoints in Integrator, including private, are protected by the short-lived JWT tokens.

Read more about integrations and APIs.

Data protection

Customer Data

When you subscribe to our service we ask you to enter contact information, such as valid email address. We keep it in our database, which is completely isolated from the Internet.

When you place an order with us, we redirect you to our payment gateway provider, where you will continue entering sensitive/credit information over secure SSL connection.

Important: we don't store credit information on our servers.

Read our privacy policy for more information.

Application Data and Credentials

Our data protection policy is very simple - typically we don’t have access to your data at all unless you opt-in to store it on our servers.

Exceptions:

Policies:

Monitoring

Our monitoring suite is a combination of the third-party services and home-grown solution, based on industry standard elk stack. It includes the following elements:

In case of downtime or any critical problem in the infrastructure elements, we are getting notifications within a few minutes. Our support is able to jump right into the problem and fix it without disturbing customer's operations. Etlworks is offering different levels of SLA based on the subscription plan.

Disaster Recovery

Our disaster recovery plan includes the following elements: