We maintain our cloud security posture aligned with industry security standards and best practices to ensure that we follow the best to stay protected. Have a look at our groundwork on cloud security:
All the application and database servers are hosted in a private subnet and are not exposed to the internet. In other words, there will be no public IP to these machines. The application and database server will be hosted in a separate subnet ensuring the highest level of security measures are in place.
Security by Design
42Gears services are hosted on trusted platforms such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and MongoDB Atlas. These data centers are equipped with an array of robust security features, including security guards, fencing, security feeds, and advanced intrusion detection technology.
We employ a minimum of 128-bit symmetric encryption and a 1024-bit authenticated key agreement to ensure the confidentiality and integrity of your data. Additionally, we have implemented the HTTP Strict Transport Security (HSTS) header across all our web connections. This further strengthens the security of your data by enforcing secure communication protocols and preventing certain types of attacks.
Data Retention, Recovery and Backup
To safeguard data and configurations of all our applications, we have implemented a robust data retention, recovery, and backup system. Regular backups are consistently created to ensure the safety and availability of your data. These database backups are generated at scheduled intervals and securely uploaded to an AWS bucket. This guarantees that your data is protected and readily recoverable in the event of any unforeseen circumstances.
42Gears Cloud relies on the robust security framework provided by Amazon Web Services (AWS) and adheres to the AWS Shared Responsibility Model. For detailed information, please refer to the AWS Shared Responsibility Model. Within the 42Gears cloud infrastructure, data is meticulously segregated on multiple layers to maintain logical separation.
Here at 42Gears, we have a dedicated product security team to test and resolve product security issues. Our engineering team obeys a secure software development lifecycle policy. Our product security focuses on the security of data processed by, or in relation to our products. Security is embedded in all aspects of our innovation, products, systems, and services.
From being a concept to the production and amid, we prioritize security throughout the entire product development lifecycle.
We recommend all connections to the servers using SSL/Transport Layer Security (TLS 1.2) encryption with strong ciphers for all connections including web access, API access, and mobile apps.
Annual Testing & Security Scan
We conduct regular Vulnerability Assessment and Penetration Testing, following the OWASP (Open Web Application Security Project) Standards. Our external pentest is performed by CyRAACS, a reputable cyber security company in India. Furthermore, we engage third-party vendors to annually assess our applications.
Product Security Team
Our Product Security team comprises highly skilled professionals whose primary objective is to identify and mitigate potential vulnerabilities and threats throughout the product's lifecycle.
At 42Gears, every employee is actively engaged in our security culture. We promote a security-conscious mindset throughout the organization through ongoing training and awareness programs. This ensures that our team members understand their roles and responsibilities in maintaining a secure environment and protecting sensitive data.
Employee Background Checks
With the utmost priority placed on the security and well-being of our organization, we have established a robust policy mandating employee background verification. This policy serves as a crucial safeguard, enabling us to thoroughly assess the backgrounds of all employees. By implementing this mandatory procedure, we are committed to ensuring a secure and trustworthy work environment, instilling confidence among our stakeholders and protecting the interests of our organization.
We consistently provide essential Information Security awareness training throughout the organization at regular intervals. In addition, we assess their knowledge through tests and quizzes to identify areas where further training is needed. To promote awareness and foster innovation in security and privacy, we also organise internal events.
Internal Audits and checks
To proactively identify and mitigate potential threats, we conduct weekly audits on malware reports. These audits involve a comprehensive examination of potential malware and security vulnerabilities, allowing us to promptly address any emerging risks.
In addition to the weekly audits we perform internal security audits on a defined frequency on our servers. These audits ensure that our servers adhere to the highest security standards and that all necessary security measures are in place to protect sensitive data and prevent unauthorized access.
Our Network architecture ensures that sensitive data is protected through best business practice security policies and procedures. This includes hardened Firewall configuration rules, network logical segmentation, proactive monitoring, active vulnerability assessments, load balancing, digital certificates, etc.
Our network security and monitoring measures are strategically crafted to deliver robust layers of protection and defence. By employing firewalls, we effectively thwart unauthorised access and undesired traffic from compromising our network. Additionally, we fortify our systems by implementing network segmentation, which acts as a safeguard to shield sensitive data from potential threats.
Physical & Infrastructure Security
We have active and passive security control measures in place to protect employees, technology, information, and infrastructure against unauthorized access, sabotage, damage, and criminal activity.
We ensure stringent control over access to our resources, including buildings, infrastructure, and facilities. To achieve this, we employ access cards that regulate consumption, entry, and utilisation. Different access cards are assigned to employees, contractors, vendors, and visitors, restricting their access solely to the purpose of their presence on the premises.
We enforce strong data protection standards to guarantee appropriate data handling at all classification levels, from processing and storage to transfer and destruction. We ensure that the appropriate encryption controls are in place for data at rest in the cloud.
Our Software Development Life Cycle (SDLC) serves as a guiding framework, enforcing adherence to secure coding guidelines. Moreover, we employ a range of robust measures to screen code changes for potential security vulnerabilities. These measures include utilising code analyser tools, vulnerability scanners, and conducting thorough manual reviews to ensure the utmost security.
Business Continuity & Disaster Recovery
42Gears uses a high-availability architecture to ensure that, in the event of a failure, service performance continues to meet client expectations. We are compliant in maintaining ISO 27001:2013 & SOC 2 Type II, which requires the production, maintenance, and testing of a Disaster Recovery Plan (DRP).