CHILI publish Security Policy
Our customers trust CHILI publish with their data, and this responsibility is something we take seriously. We take appropriate security measures to ensure our customer and business data is protected.
Data center and network security
We ensure the confidentiality and integrity of your data with industry best practices. CHILI publish primarily hosts Service Data (as defined below) in Microsoft AZURE data centers that have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and SOC 2 compliant. Authentication and authorization data is stored and managed in Auth0. See Azure Compliance and Azure Security for more information.
We take steps to securely develop and test against security threats to ensure the safety of our customer data. In addition, CHILI publish employs third-party security experts to perform detailed penetration tests on different applications within our family of products. This according to formalized procedures.
Product security features
We make it seamless for customers to manage user access. All communications with CHILI publish servers are encrypted using industry standard HTTPS over public networks, meaning the traffic between you and CHILI publish is secure.
We use guidance of general accepted security and privacy frameworks to help our customers to meet their own compliance standards. CHILI publish is ISO27001:2017 certified.
You can find the Certificate itself and The Statement of applicability here
Our network is protected through the use of key AZURE security services, integration with protection networks, regular audits, and network intelligence technologies which monitor and/or block known malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year, CHILI publish employs third-party security experts to perform a broad penetration test of key CHILI services.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
CHILI publish has architected a multi-layer approach to DDoS mitigation. The use of Microsoft AZURE scaling and protection tools provide deeper protection along with our use of Microsoft AZURE DDoS specific services.
Access to the CHILI publish Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team.
Security Incident Response
In case of a system alert, events are escalated to our teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with CHILI publish UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and CHILI publish is secure during transit.
Encryption at Rest
Service Data is encrypted at rest in Microsoft AZURE.
Availability and Continuity
Uptime identifies the availability of the services excluding scheduled maintenance. Scheduled maintenance is maintenance that might include downtime and is planned and communicated beforehand:
- At least 3 business days in advance: send out a notification to inform about the scheduled work, its purpose, and foreseen outages
- At the completion of the changes confirming the maintenance is finished and the actual downtime taken
CHILI publish employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime allows us to deliver high level of service availability, as Service Data is replicated across availability zones.
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Business Continuity Recovery
Business continuity recovery point objectives (“RPO”) will be twenty-four (24) hours and recovery time objectives (“RTO”) will be twelve (12) hours or up to forty-eight hours (48) in case the disaster occurs between Friday 4PM and Monday 8AM CET, depending on support hours.
Recovery Point Objective (RPO) means, for a given function, the maximum tolerable period in hours in which data might be lost from such function due to a disaster or business continuity event.
Recovery Time Objective (RTO) means, for a given service, the duration of time in hours within which such service must be restored after a disaster recovery or business continuity event such that the Provider is providing the service and is able to meet the service levels associated with such service.
The compliance of the CHILI publisher software is affected when:
- The Subscription date is out of range.
- The number of environments is exceeding the subscription limits
- The Renders and/or Storage is exceeding the allowed limits.
- Overdue invoice(s)
The effect of non-compliance is the temporary suspension of the CHILI publisher service for all environments and regions, until the compliance issue has been resolved.
Secure Development (SDLC)
Framework Security Controls
CHILI publish leverages modern and secure frameworks with security controls to mitigate security risks.
Our Quality Assurance (QA) department reviews and tests our code base.
Testing and staging environments are logically separated from the Production environment. Service Data will never be used for development and testing.
Static Code Analysis
The source code repositories are scanned for security issues via our integrated static analysis tooling.
CHILI leverages vulnerability management technology and tools to constantly guard against common vulnerabilities and exposures.
Third-party Penetration Testing
In addition to our extensive internal scanning and testing program, CHILI publish employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Service Credential Storage
CHILI publish follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
Additional product security features
Role-Based Access Controls
Access to data within CHILI publish applications is governed by role-based access control (RBAC) and can be configured to define granular access privileges.
CHILI publish is developing a comprehensive security policy covering a range of topics. This policy is shared with and made available to all employees and contractors with access to CHILI publish information assets.
All employees and contractors attend a Security Awareness Training which is given upon hire and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
All new hires are required to sign Non-Disclosure and Confidentiality agreements.