Data Center Security and Location
The Coreo infrastructure is hosted on the Heroku platform, which in turn is built on the technology of Amazon Web Services (AWS). Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
To see Heroku’s full security policy see: https://www.heroku.com/policy/security
All Coreo data is stored within the AWS EU region, on secure servers in Dublin, Ireland.
The Coreo Platform
The Coreo platform runs within its own isolated environment on the Heroku platform and cannot interact with other applications or areas of the system run by that vendor. The restrictive operating environment is designed to prevent security and stability issues. The self-contained environment has isolated processes, memory and file system whilst host-based firewalls restrict applications from establishing local network connections.
For further technical information see: https://devcenter.heroku.com/articles/dyno-isolation
The Coreo platform utilises a Heroku Postgres database, which employs a Continuous Protection system to keep data safe. All changes to the database are written to write-ahead logs which are shipped to multi-datacenter, high durability storage. In the unlikely event of an unrecoverable hardware failure, these logs can be automatically “replayed” to recover the database to within seconds of its last known state.
The database is also backed up regularly and stored on offsite secure storage.
We are registered as a data controller with the Information Commissioner’s Office, registration ZA142040.
Application Level Security
All passwords within the Coreo platform are salted and hashed. No member of staff can view them. If a password is lost it cannot be retrieved – it must be reset.
All communication within the Coreo platform is encrypted with TLS (see below)
Parts of the Coreo Platform, including the admin area and some bespoke customer websites, are deployed to AWS CloudFront. AWS CloudFront is a fast and highly-secure content delivery network (CDN) service, providing both network and application level protection. CloudFront’s inbuilt security mechanisms provide a flexible, layered security perimeter protecting against multiple types of attacks including application layer and DDoS attacks.
AWS CloudFront infrastructure and processes are all compliant with PCI-DSS Level 1, HIPAA, and ISO 9001, ISO 27001, SOC (1, 2 and 3) to ensure secure delivery of your most sensitive data.
All network traffic sent within the Coreo platform, including between Coreo backend servers, websites, mobile applications (iOS and Android) uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption.
There is no non-TLS option for connecting to Coreo – all connections are made securely over HTTPS.
All data written to disk within the Heroku Postgres database is automatically encrypted at rest.
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if we learn of a security breach, we will notify affected users so that they can take appropriate protective steps. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.
If you’ve discovered a vulnerability in the Coreo application, please don’t share it publicly. Instead, please submit a report to us via the process outlined below. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues. Every day, new security issues and attack vectors are created. Coreo strives to stay on top of the latest security developments both internally and by working with external security researchers and companies. We appreciate the community’s efforts in creating a more secure web.
Please email any security concerns to us at: email@example.com
- March 2020 – First edition