- Smartly.io is a web based service for automating and optimizing marketing campaigns on different social media platforms, such as Facebook, Instagram and Pinterest.
- The service is built using modern programming languages, frameworks and orchestration platforms.
- The service is operating on modern Linux-based dedicated servers hosted in high security data centers operated by Hetzner Online GmbH in Germany, Europe.
- Additionally Amazon Web Services (European regions) and CloudFlare are used for some functionality (e.g. CloudFront, S3, network optimization, DDoS protection).
- Hetzner, Amazon Web Services and CloudFlare are all ISO27001 certified.
- Smartly.io’s internal policies and practices are aligned with ISO27001 although we have not yet performed the certification.
- The processing of personal data is minimized in our systems and we have GDPR compliant Data Processing Agreements and Privacy Policies in place.
- Smartly.io undergoes annual external penetration testing and code reviews by professional security consultants for our production environments.
- Internal penetration testing and code reviews are performed at least annually and after major changes.
- Network scanning of all internet-facing systems is performed quarterly.
- Smartly.io web service is accessed by user-specified passwords and optional two-factor authentication (TOTP)
- The minimum required password length is 12 characters.
- All passwords are hashed using the bcrypt password hashing algorithm with cost factor 13. In addition to the built-in salts of bcrypt, additional “application salt” is used.
- All customer data is encrypted both in transit (TLS 1.2+) and at rest (disk encryption, aes-xts-plain64:sha512 with 512-bit keys).
- Smartly.io utilises agile methodologies as well as continuous integration (CI) and continuous deployment (CD) in its development.
- OWASP Top 10 awareness is an integral part of our software development culture.
- All code and configurations are maintained in a version control system and all changes require peer review and approval as well as passing the CI pipeline before they can be deployed.
- Automated code security analysis tools are used as part of the CI.
Logging and Monitoring
- All access and activity is logged to a centralized system.
- The environment and each service within are continuously monitored and alerts are triggered when anomalies are detected.
- The production environment is fully separated from development and testing environments and corporate networks.
- Multiple layers of firewalls are deployed both in front of and within the environments.
- Cloudflare is utilised in front of the service to provide additional WAF and DDoS protections as well as network optimization.
- TLS 1.2 and 1.3 are supported with the strongest cipher suites.
- Smartly.io performs continuous assessment of vulnerabilities both in OS packages as well as in software libraries used in the applications.
- Automated patching is performed on a daily basis where feasible.
- Intrusion detection system is in place to detect and alert about any abnormal activity
- Incident response team and documented incident handling processes are in place
- Vendor risk assessment is performed for new vendors to ensure consistency with our security and privacy policies and commercial agreements
- Data Processing Agreements are in place with all vendors that process Personal Data on Smartly.io’s behalf as a processor
- Smartly.io’s security team is responsible for risk management and information security
- Security policies and supporting processes are in place and communicated to all employees
- Confidentiality and non-disclosure clauses are part of our employment agreements
- Access to Smartly.io premises is controlled with electronic locks
- Smartly.io implements best practice security controls for all employee laptops, including full disk encryption, firewalls, malware protection and regular updates.
- On employee termination, all access to systems are revoked and devices returned and securely wiped
- All access and activity to customer data is logged and auditable
- All customer data is encrypted at rest and stored in Europe
- All backups are encrypted
- Customer data will be removed upon contract termination or when the data is no longer needed to provide the service.
Business Continuity and Disaster Recovery
- Business Continuity and Disaster Recovery plans are documented and we have commited to Recovery Time Objective (RTO) of 24 hours and Recovery Point Objective (RPO) of 24 hours
- Smartly.io utilises a configuration management system for provisioning new servers and services enabling rapid scalability and recovery from disasters
- Production systems are distributed to multiple independent data centers and the load is evenly balanced
- Zero-downtime release process is used to deploy new software versions without interruptions
- Backups are taken at least on a daily basis, monitored and regularly tested
If there are any questions or you found a security threat, do not hesitate to contact firstname.lastname@example.org.