Menu

Coreo Security

In detail

Introduction

This page provides some additional technical detail on Coreo security.  It should be read in conjunction with the Security – Overview page.

Architecture

Coreo is an ecosystem of services that provides cloud-based data collection and data storage and management. It uses a smartphone application to submit data to the Coreo backend (also referred to elsewhere as the Coreo Portal or Admin Area).  Users must have an account to submit data and user accounts are created within the Coreo ecosystem.  To provide these services we have built Coreo on top of a number of best-in-class systems.  The systems we utilise are as follows:

App

Both the iOS and Android apps are hybrid applications.  They utilise the following technologies:

Both apps are deployed to their respective app stores:

Coreo backend

  1. Heroku – https://www.heroku.com/
  2. AWS (S3, CloudFront) – https://aws.amazon.com/
  3. Sentry – https://sentry.io/welcome/
  4. Active Campaign – https://www.activecampaign.com/
  5. Imgix – https://imgix.com/
  6. Twicpics – https://www.twicpics.com/
  7. Mapbox – https://www.mapbox.com/

Those services highlighted in bold do, or might, receive personal data from you when you use aspects of Coreo’s services. Details of these are listed below in the section titled “3rd Party Reference Documentation”.

Heroku/AWS infrastructure

Data Center Security and Location

The Coreo infrastructure is hosted on the Heroku platform, which in turn is built on the technology of Amazon Web Services (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

All Coreo data is stored in AWS S3 within the AWS EU region, on secure servers in Dublin, Ireland.

Data Security

The Coreo Platform

The Coreo platform runs within its own isolated environment on the Heroku platform and cannot interact with other applications or areas of the system run by that vendor. The restrictive operating environment is designed to prevent security and stability issues. The self-contained environment has isolated processes, memory and file system whilst host-based firewalls restrict applications from establishing local network connections.

For further technical information see: https://devcenter.heroku.com/articles/dyno-isolation

Database Backups

The Coreo platform utilises a Heroku Postgres database, which employs a Continuous Protection system to keep data safe. All changes to the database are written to write-ahead logs which are shipped to multi-datacenter, high durability storage. In the unlikely event of an unrecoverable hardware failure, these logs can be automatically “replayed” to recover the database to within seconds of its last known state.

The database is also backed up regularly and stored on offsite secure storage.

Application Level Security

All passwords within the Coreo platform are salted and hashed. No member of staff can view them. If a password is lost it cannot be retrieved – it must be reset.

All communication within the Coreo platform is encrypted with TLS (see below)

FrontEnd Infrastructure

Parts of the Coreo Platform, including the admin area and some bespoke customer websites, are deployed to AWS CloudFront. AWS CloudFront is a fast and highly-secure content delivery network (CDN) service, providing both network and application level protection. CloudFront’s inbuilt security mechanisms provide a flexible, layered security perimeter protecting against multiple types of attacks including application layer and DDoS attacks.

AWS CloudFront infrastructure and processes are all compliant with PCI-DSS Level 1, HIPAA, and ISO 9001, ISO 27001, SOC (1, 2 and 3) to ensure secure delivery of your most sensitive data.

Encryption In-Transit

All network traffic sent within the Coreo platform, including between Coreo backend servers, websites, mobile applications (iOS and Android) uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption.

There is no non-TLS option for connecting to Coreo – all connections are made securely over HTTPS.

Encryption At-Rest

All data written to disk within the Heroku Postgres database is automatically encrypted at rest.

Breach Notification

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if we learn of a security breach, we will notify affected users so that they can take appropriate protective steps. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers with all information necessary for them to meet their own regulatory reporting obligations.

Responsible Disclosure

If you’ve discovered a vulnerability in the Coreo application, please don’t share it publicly. Please send us the key details of what you observed, and how you got to that part of the operation in Coreo, by emailing us at: security@coreo.io. We review and prioritise all security concerns brought to our attention, and we take a proactive approach to emerging security issues. Every day, new security issues and attack vectors are created. Coreo strives to stay on top of the latest security developments both internally and by working with external security researchers and companies. We appreciate the community’s efforts in creating a more secure web.

Information Security

We are registered as a data controller with the Information Commissioner’s Office, registration ZA142040.

See also our page detailing our Privacy Policy.

3rd Party Reference Documentation

Heroku

Description of purpose: See above

Summary of data shared: All user and record metadata

To see Heroku’s full security policy see: https://www.heroku.com/policy/security

AWS

Description of purpose: See above

Summary of data shared: All user and record metadata

To see AWS’s full security policy see: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html

Sentry

Description of purpose: Used to monitor crashes, bugs and other related service issues.

Summary of data shared: User ID, email, device ID, device type, browser type and version.

To see Sentry’s full security policy see: https://sentry.io/security/

Active Campaign

Description of purpose: CRM system. Used to send onboarding guidance emails and periodic updates if you sign up to Coreo.

Summary of data shared: Email, name.

 

Updated: