How We Keep Your Data Secure
Rewind is built from the ground up with security in mind. As experts in data backups, security isn’t just a feature. It’s at the core of what we do.
- We require two-factor authentication (2FA) for all users for all systems that support 2FA (code repositories, build systems, cloud providers).
- Our internal systems are only accessible over a VPN.
- We apply the “least privilege” model meaning we assign access to employees based on the absolute least access someone needs to be able to perform their duties.
- We use the latest version of Ruby on Rails for most of our application development which provides many “out of the box” security benefits (encrypted cookies, sanitized DB queries via ActiveRecord, strong parameters).
- We use tools like Brakeman and Rubocop to ensure we are writing secure code
- Running in Amazon Web Services (AWS), we use IAM roles to define very specific access policies for what resources an application is allowed to access. These policies are used to enforce separation of concerns (ie. systems supporting Shopify backups cannot access data related to BigCommerce).
- The access policies themselves are defined as part of an infrastructure as code model and held under version control which requires several levels of review for any changes made.
- Where applications need to communicate with external services using credentials, the credentials are stored encrypted in a vault out-of-band from the service itself and any build or deploy systems we use.
- For sensitive data like platform access tokens, we encrypt these with a second key within the database. This means that even applications and humans that can query the database must be able to decrypt the access keys in order to communicate with a platform. The key itself is stored encrypted and only accessible by applications that require it.
- At the network level, we use AWS security groups with rules allowing least privilege access to required services. For example, only services that need access to a database can access that database.
Physical Security 🗄️
- We host Rewind on Amazon Web Services (AWS), the most secure infrastructure provider on the planet. AWS provides many layers of security.
- Data is stored in one of 3 regional centers (US, Europe, and Canada) for compliance with requirements like GDPR.
- If you have a requirement to have backup data stored in a different geographic location, you can contact our team and we can work with you to store your data where needed. (Enterprise plans only)
- All data at rest in our databases, cache services, or other data stores is encrypted using standard AWS encryption mechanisms – typically AES 256.
- For data in transit across the network, all communication takes place using HTTPS (encrypted) connections. We use a certificate with a 2048 bit key size on all of our Rewind endpoints and certificates are rotated yearly.
How do we monitor for security events? 🔍
- Our applications undergo an external audit by a 3rd party to identify any security concerns.
- We have configured alarms and metrics according to the Center for Internet Security AWS Foundations Benchmark
- AWS has a fantastic range of tools and services for ongoing security monitoring. We utilize Guard Duty, AWS CloudTrail, and VPC Flow Logs to monitor all network activity.
- AWS Security Hub gives us a comprehensive view of our high-priority security alerts and compliance status across our AWS services.
- We continuously scan our application using Detectify both on a schedule and automatically when new threat definitions are updated
- Through our vulnerability disclosure policy (VDP), we work with external security researchers and examine all submissions and remediate where required