Technology and Security Overview

To earn and maintain the trust and confidence of the world’s largest and most advanced advertisers, Smartly.io takes all reasonable precautions to safeguard our systems and the data entrusted to us by our customers against breaches of confidentiality, integrity and availability. This overview provides insight to the practices followed by Smartly.io with regard to information security and technology management.

Technology Overview

  • Smartly.io is a web based service for automating and optimizing marketing campaigns on different social media platforms, such as Facebook, Instagram and Pinterest.
  • The service is built using modern programming languages, frameworks and orchestration platforms.
  • The service is operating on modern Linux-based dedicated servers hosted in high security data centers operated by Hetzner Online GmbH in Germany, Europe.
  • Additionally Amazon Web Services (European regions) and CloudFlare are used for some functionality (e.g. CloudFront, S3, network optimization, DDoS protection).
  • Hetzner, Amazon Web Services and CloudFlare are all ISO27001 certified.
  • Smartly.io’s internal policies and practices are aligned with ISO27001 although we have not yet performed the certification.
  • The processing of personal data is minimized in our systems and we have GDPR compliant Data Processing Agreements and Privacy Policies in place.

 

Security audits

  • Smartly.io undergoes annual external penetration testing and code reviews by professional security consultants for our production environments.
  • Internal penetration testing and code reviews are performed at least annually and after major changes.
  • Network scanning of all internet-facing systems is performed quarterly.

 

Application security

  • Smartly.io web service is accessed by user-specified passwords and optional two-factor authentication (TOTP)
  • The minimum required password length is 12 characters.
  • All passwords are hashed using the bcrypt password hashing algorithm with cost factor 13. In addition to the built-in salts of bcrypt, additional “application salt” is used.
  • All customer data is encrypted both in transit (TLS 1.2+) and at rest (disk encryption, aes-xts-plain64:sha512 with 512-bit keys).

 

Development Practices

  • Smartly.io utilises agile methodologies as well as continuous integration (CI) and continuous deployment (CD) in its development.
  • OWASP Top 10 awareness is an integral part of our software development culture.
  • All code and configurations are maintained in a version control system and all changes require peer review and approval as well as passing the CI pipeline before they can be deployed.
  • Automated code security analysis tools are used as part of the CI.

 

Logging and Monitoring

  • All access and activity is logged to a centralized system.
  • The environment and each service within are continuously monitored and alerts are triggered when anomalies are detected.

 

Network security

  • The production environment is fully separated from development and testing environments and corporate networks.
  • Multiple layers of firewalls are deployed both in front of and within the environments.
  • Cloudflare is utilised in front of the service to provide additional WAF and DDoS protections as well as network optimization.
  • TLS 1.2 and 1.3 are supported with the strongest cipher suites.

 

Vulnerability Management

  • Smartly.io performs continuous assessment of vulnerabilities both in OS packages as well as in software libraries used in the applications.
  • Automated patching is performed on a daily basis where feasible.

 

Incident Management

  • Intrusion detection system is in place to detect and alert about any abnormal activity
  • Incident response team and documented incident handling processes are in place

 

Vendor Management

  • Vendor risk assessment is performed for new vendors to ensure consistency with our security and privacy policies and commercial agreements 
  • Data Processing Agreements are in place with all vendors that process Personal Data on Smartly.io’s behalf as a processor

 

Organizational Security

  • Smartly.io’s security team is responsible for risk management and information security
  • Security policies and supporting processes are in place and communicated to all employees
  • Confidentiality and non-disclosure clauses are part of our employment agreements
  • Access to Smartly.io premises is controlled with electronic locks
  • Smartly.io implements best practice security controls for all employee laptops, including full disk encryption, firewalls, malware protection and regular updates. 
  • On employee termination, all access to systems are revoked and devices returned and securely wiped

 

Data Protection

  • All access and activity to customer data is logged and auditable
  • All customer data is encrypted at rest and stored in Europe
  • All backups are encrypted
  • Customer data will be removed upon contract termination or when the data is no longer needed to provide the service.

 

Business Continuity and Disaster Recovery

  • Business Continuity and Disaster Recovery plans are documented and we have commited to Recovery Time Objective (RTO) of 24 hours and Recovery Point Objective (RPO) of 24 hours
  • Smartly.io utilises a configuration management system for provisioning new servers and services enabling rapid scalability and recovery from disasters
  • Production systems are distributed to multiple independent data centers and the load is evenly balanced
  • Zero-downtime release process is used to deploy new software versions without interruptions
  • Backups are taken at least on a daily basis, monitored and regularly tested

 

If there are any questions or you found a security threat, do not hesitate to contact security@smartly.io.

Learn More About Our Platform and Service

Get in touch to see how we can help you grow your business online.

Get Started

Privacy Policy & Cookie Policy. Copyright © 2013-2020 Smartly.io Solutions Oy. All rights reserved.