Technology and Security Overview

• Smartly.io is a web based service for automating and optimizing marketing campaigns on different social media platforms, such as Facebook, Instagram, Pinterest, and Snapchat.
• The service is built using modern programming languages, frameworks and orchestration platforms.
• The service is operating on modern Linux-based dedicated servers hosted in high security data centers operated by Hetzner Online GmbH in Germany, Europe.
• Additionally Amazon Web Services (European regions) and CloudFlare are used for some functionality (e.g. CloudFront, S3, network optimization, DDoS protection).
• Hetzner, Amazon Web Services and CloudFlare are all ISO27001 certified.
• The processing of personal data is minimized in our systems and we have GDPR compliant Data Processing Agreements and Privacy Policies in place.

• Smartly.io undergoes annual external penetration testing and code reviews by professional security consultants for our production environments.
• Internal penetration testing and code reviews are performed at least annually and after major changes.
• Network scanning of all internet-facing systems is performed quarterly.

• Smartly.io web service is accessed by user-specified passwords and optional two-factor authentication (TOTP)
• The minimum required password length is 12 characters.
• All passwords are hashed using the bcrypt password hashing algorithm with cost factor 13. In addition to the built-in salts of bcrypt, additional “application salt” is used.
• All customer data is encrypted both in transit (TLS 1.2+) and at rest (disk encryption, aes-xts-plain64:sha512 with 512-bit keys).

• Smartly.io uses agile methodologies as well as continuous integration (CI) and continuous deployment (CD) in its development.
• OWASP Top 10 awareness is an integral part of our software development culture.
• All code and configurations are maintained in a version control system and all changes require peer review and approval as well as passing the CI pipeline before they can be deployed.
• Automated code security analysis tools are used as part of the CI.

• All access and activity is logged to a centralized system.
• The environment and each service within are continuously monitored and alerts are triggered when anomalies are detected.

• The production environment is fully separated from development and testing environments and corporate networks.
• Multiple layers of firewalls are deployed both in front of and within the environments.
• Cloudflare is used in front of the service to provide additional WAF and DDoS protections as well as network optimization.
• TLS 1.2 and 1.3 are supported with the strongest cipher suites.

• Smartly.io performs continuous assessment of vulnerabilities both in OS packages as well as in software libraries used in the applications.
• Automated patching is performed on a daily basis where feasible.
• Intrusion detection system is in place to detect and alert about any abnormal activity
• Incident response team and documented incident handling processes are in place

• Vendor risk assessment is performed for new vendors to ensure consistency with our security and privacy policies and commercial agreements 
• Data Processing Agreements are in place with all vendors that process Personal Data on Smartly.io’s behalf as a processor

• Smartly.io’s security team is responsible for risk management and information security
• Security policies and supporting processes are in place and communicated to all employees
• Confidentiality and non-disclosure clauses are part of our employment agreements
• Access to Smartly.io premises is controlled with electronic locks
• Smartly.io implements best practice security controls for all employee laptops, including full disk encryption, firewalls, malware protection and regular updates. 
• On employee termination, all access to systems are revoked and devices returned and securely wiped

• All access and activity to customer data is logged and auditable
• All customer data is encrypted at rest and stored in Europe
• All backups are encrypted
• Customer data will be removed upon contract termination or when the data is no longer needed to provide the service.

• Business Continuity and Disaster Recovery plans are documented and we have commited to Recovery Time Objective (RTO) of 24 hours and Recovery Point Objective (RPO) of 24 hours
• Smartly.io utilizes a configuration management system for provisioning new servers and services enabling rapid scalability and recovery from disasters
• Production systems are distributed to multiple independent data centers and the load is evenly balanced
• Zero-downtime release process is used to deploy new software versions without interruptions
• Backups are taken at least on a daily basis, monitored and regularly tested

If there are any questions or you found a security threat, do not hesitate to contact security@smartly.io.