Security

At Etlworks, we take security and data protection very seriously. The figure below illustrates the layers of security between your data and the bad guys.

Security Layers

Perimeter Protection

Perimeter security addresses security at the periphery of any private network, right where it connects to the public Internet. Firewalls and other elements of the perimeter protection infrastructure enforce access control policies that govern which information enters and leaves the network.

We install and configure the following elements of the perimeter protection infrastructure:

Policies:

Perimeter Protection

Authentication and Access Control

User Authentication

The user must be authenticated to access any of the resources within Integrator, including but not limited to:

Integrator uses JWT-based security, which is completely stateless and does not use sessions or cookies.

Access Control

Integrator implements role-based access control (RBAC). In Role-Based Access Control, access decisions are based on an individual's roles and responsibilities within the user base.

In Integrator, each user can be assigned only one role.

The following roles are available:

Role-Based Security

Policies:

Encryption

We encrypt all sensitive information transmitted to and stored on our servers.

Encryption during transmission

Since only SSL connections to Integrator's back end are allowed - inbound and outbound traffic is automatically encrypted.

Encryption of secure credentials

In Integrator, all passwords, access keys, and other secure credentials are encrypted by a strong encryption algorithm with a 512-bit private key.

Encryption of files

In Integrator, you can configure flows to store all files in the encrypted archive. This policy is not enforced.

Encryption of JWT tokens

In Integrator, JWT tokens are hashed using a strong encryption algorithm with a 512-bit private key.

Application security

Application security encompasses measures taken throughout the code's life-cycle, to prevent gaps in the security policies of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance or database of the application.

Static code analysis for security vulnerabilities

Every build of Integrator triggers an automatic run of the static code analyzer, which is configured to identify the maximum number of potential security exploits to the code.

Potentially, security vulnerabilities can prevent completion of a build. If a build is not successful, manual intervention is required, followed by analyzing and fixing the vulnerabilities on a case-by-case basis.

Continuous Integration (CI) and Continuous Deployment (CD)

Every commit to the version control triggers the running of unit tests, and every build of Integrator triggers the running of a comprehensive set of unit and integration tests. About 30% of all tests are dedicated to security.

Any error in any of the tests causes a build to fail. All bugs in the code, as identified by the tests, must be fixed before the build can continue.

Scheduled, bug-free builds will be automatically deployed to designated environments. The deployment is atomic - all or nothing - and must be manually scheduled after the application passes the quality control in the staging environment.

Protection for the API endpoints

All API endpoints in Integrator, including the private ones, are protected by short-lived JWT tokens.

Read more about integrations and APIs.

Data protection

Customer Data

When you subscribe to our service we ask you to enter contact information, such as a valid email address. We keep it in our database, which is completely isolated from the Internet.

When you place an order with us, we redirect you to our payment gateway provider, where you will continue entering sensitive/credit information over a secure SSL connection.

Important: we don't store credit information on our servers.

Read our privacy policy for more information.

Application Data and Credentials

Our data protection policy is very simple - typically we don’t have access to your data at all unless you opt-in to store it on our servers.

Exceptions:

Policies:

Monitoring

Our monitoring suite is a combination of third-party services and home-grown solutions, based on the industry standard elk stack. It includes the following elements:

In case of downtime or any critical problem in the infrastructure elements, we receive notifications within a few minutes. Our support is able to jump right into the problem and fix it without disturbing the customer's operations. Etlworks is offering different levels of SLA based on your subscription plan.

Disaster Recovery

Our disaster recovery plan includes the following elements: