What security measures do you apply?

Hosting

We host multiple clients on a single standalone environment hosted on AWS through a single RESTful API. AWS employs a robust security program with multiple certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, PCI DSS.

The system that hosts Screena is based on ARM Linux system. All hard drives are encrypted.

We use Amazon API Gateway and Amazon Load Balancer with WAF to distribute the requests and protect the system from DDoS attacks.

The production operating systems are updated on a daily basis for security updates.

To learn how we ensure High Availability, check the answer to this question: How do you handle High Availability?

Code

All the code produced for the core application and associated services adheres to the OWASP guidelines and recommendations to prevent common security issues such as cross-site scripting (XSS) or SQL injections. Every code change is committed, signed, and tracked in a versioning system.

During the development phase of the application, an automatic audit of security is done using GitLab and Sonar tools, and reviewed before each release.

Access

To use the Screena API, an API key is mandatory. We provide one API key, unique to each client, on a one-off basis. The API key is used to authenticate requests for usage and billing purposes. Each API request shall always be associated with an API key.

Multiple logging systems are in place to detect unauthorized access to the system. We use the regular logging from Amazon CloudTrail, CloudWatch, but also internally within the application where each API request is logged.

No administration URL is exposed externally. Administration URLs are only accessible from the internal network.

We performed an independent third-party penetration test on November 13th, 2023 to assess the security posture of our services.

You can read the executive summary of Screena penetration test conducted by Luxembourg-based IT security company STIDIA:

Data

We don’t store or keep customers’ personal data sent through Screena search endpoint. We only log and count the number of API requests executed monthly for billing purposes.

Data is kept anonymous at all times as we encrypt data in transit, in compliance with AES-256 SHA 512.

Last updated