Last updated: 27th Jan, 2021
This is how we think about security at Consent Kit. A lot of companies will tell you that “security is our number one priority” but for Consent Kit it is truly integral to our product and marketing.
Why security really is vital for Consent Kit
One of our core principles is to make it easy to carry out ethical research. We are building tools and services to help this mission. We are asking you “the researcher” or “research manager” to be considerate with participants data and use informed consent to build trust through transparency.
If we are asking you to do this with your participants then we need to hold ourselves accountable to our own mission and standards.
We must be careful and considerate with your (and your participants) data. Being transparent with how we handle our security will enable us to build trust with you as a customer.
In short, keeping your participants and your data secure is a large part of our service. We want you to trust us with your data.
How we take care of your data
Ethics first data
Our first principle is to make sure we are using your data ethically. We use the ODI The Data Ethics Canvas – The ODI to regularly sense check that we are using data ethically and responsibly.
ISO 27001 data centres
Our infrastructure runs on Heroku, which is built upon Amazon Web Services (AWS). Heroku delivers a Platform as a Service (PaaS) with exceptional security.
For more information please see the following:
Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centres and utilise the Amazon Web Service (AWS) technology.
Amazon continually manages risk and undergoes reoccurring assessments to ensure compliance with industry standards.
Amazon’s data centre operations have been accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX)
We do not have data centres as we are a cloud SaaS provider. Physical security to our servers and to your data is managed by AWS security certifications
Data storage and encryption at rest
Your data is encrypted at rest using AES256 encryption within the Heroku Postgres production tier.
All user passwords are stored using the Bcrypt password hashing function and stored in the database. Bcrypt uses salts and a complex hashing algorithms.
Encryption in transit
All communication between you, your services and Consent Kit, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.3 where supported. We support older browsers with TLS v1.2.
This encryption during communication ensures information cannot be read or manipulated by unauthorised third parties.
Backups and data retention
We ensure that all data is regularly backed up.
Your data lives in our servers for as long as you need them. When you delete your account all the data is deleted.
Access to data
Consent Kit staff are granted access to systems and data based on their role in the company or on an as-needed basis. SSO and 2FA are used to ensure access is as secure as possible.
Access to customer data by Consent Kit staff is only used to assist with support and to resolve customer issues.
When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue.
Network and application level security monitoring and protection
We use a third party tool called Sqreen to monitor and protect our infrastructure and application from various threats and to log when these attacks occur.
Sqreen provides us with:
- Infrastructure protection from automated scanners, bots and targeted attacks. It blocks attacks and alerts in case of critical threats.
- Protection against data breaches by monitoring and blocking brute force attacks.
- Automatic monitoring of suspicious behaviours with regards to user accounts. We can react fast in case of account takeovers to protect customers against data theft by blocking credential stuffing or brute force attacks.
- A runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
- Security monitoring that allows us to get visibility into our application security, identify attacks and respond quickly to a data breach. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.
Sqreen is also deeply integrated into our application helping us protect against the most critical attack categories like SQL injections, cross-site scripting and adds security headers to our application. It blocks attacks in real-time and warns us when attackers start stressing our application.
All Consent Kit’s web application communications are sent using Postmark and are encrypted TLS ensuring messages are encrypted in transit to remote mail servers and ISPs who support TLS.
How we keep our code secure
All vulnerabilities are managed and tracked through a defined set of stages. Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system.
We have an internal SLA that stipulates deadlines for fixing vulnerabilities.
If necessary, a post-mortem is arranged as a learning exercise for our whole company to improve security.
Automatic static code analysis
When code is committed to GitHub, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies.
Our security monitoring tool also detects vulnerable or out of date dependencies within the application on the server.
Quality Assurance (QA)
Once the code is ready to be tested, it is deployed to our staging environment. This environment is a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different domain name to ensure complete separation from production.
We use agile user stories to break up work and these are ranked in importance and risk. All high value and risk stories are reviewed by other members of the team on its own stand-alone Heroku Review App.
Secure software development life cycle (SDLC)
Security is part of our SDLC and influences the product roadmap and specific features. We implement the philosophy of “security by design” where security features are embedded in the product design to ensure, to the best of our abilities, that existing and new functionalities are free of vulnerabilities.
How we secure our business
Mobile device management
All hardware devices (desktops, laptops, phones) that Consent Kit staff use are encrypted to ensure that if stolen or lost they do not present a security risk.
Password managers and policy
To ensure an acceptable level of password security, we have an existing password policy in place. Passwords that are too generic are not allowed while the use of unique passwords per website is strongly advised. We also encourage the use of password managers, for example 1Password, that help make it easier and safer for you to keep track of your credentials.
The use of multi-factor authentication (MFA) is enforced throughout the main services Consent Kit relies on. MFA is also encouraged by Consent Kit.
MFA is also mandatory for Heroku and GitHub access.
Credit Card Security
When you purchase a paid Consent Kit subscription, your credit card data is not transmitted through nor stored on our systems. All of Consent Kit’s credit card processing is handled securely by Stripe.
Any card data is transmitted to stripe via encrypted HTTPS
Have questions or feedback? Feel free to reach out to us at firstname.lastname@example.org