Security Policy

Security is very important to PushMetrics and everyone here is doing their best to keep your notebooks and data secure. This document describes our internal security policies and how those translate into creating a secure platform that you can trust.

Data Protection

You can read our Data Processing Agreement in full as a recap.

GDPR

We are committed to follow and implement all the guidelines and recommendations from GDPR with regards to all the data and information we handle, process, and store at PushMetrics.

Data Security

All of PushMetrics infrastructure runs in Amazon AWS, hosted in European regions. You can find more information about AWS security practices on their cloud security page.

Data Encryption at Rest

We use different Amazon AWS services, such as RDS and S3, and we configured them to use AES-256 encryption for all data at rest.

Data Classification

We like to keep our data organized, and for that we created different categories on which all PushMetrics's data needs to be categorized. The categories define who can access it and which level of monitoring they receive:

  1. Public information - Information available in our main website and marketing information
  2. Internal information - Unreleased information and details about PushMetrics roadmap
  3. Private information - Details about PushMetrics operational data
  4. Confidential information - Customers' data and PushMetrics employees' information

Data Transport Security

All communications with PushMetrics servers is done over TLS. We do this so no one can eavesdrop on communications between your machine and our application.

Application Security

Code Security

At PushMetrics we inspect closely any code before it is released. Our developers inspect the logic and information flows of each new feature to ensure no security vulnerabilities are introduced. But because humans aren't perfect we also write tests to ensure the application does not behave in an unexpected way.

We also run semi-automatic scanning tools, like Burp Suite, for new features to find any security problems.

Authentication

We partner with Auth0 for the authentication of our users. They offer a robust solution to ensure our users' passwords are stored securely and an OAuth solution so users can sign in with their Google accounts. Read more about it here: https://auth0.com/security

Third-Party components

We use third-party libraries to make our application better every day. We review and monitor our third-party components for known vulnerabilities using automatic systems like Dependabot. Each report is analyzed and acted on based on the criticality of the vulnerability, with a response time from one day for critical vulnerabilities to eight days for medium risk vulnerabilities (as defined by the CVSS score).

Infrastructure Security

Network Segmentation

Inside our Amazon AWS infrastructure we segment our network into different areas, decoupling our production environments from our testing and development environments.

Incident Monitoring

We use AWS Cloudwatch monitoring services to alert us on any anomalous behaviour in our infrastructure. We also use Amazon AWS Cloudtrail to monitor any suspicious activity within our backend systems.

Organizational Security

Security Incident Management

Our systems monitor for anomalous and suspicious activity across the different systems we use to run the platform. These events are fed into a central dashboard that provides us with an overview of how every component is behaving and alerts us if a problem is detected.

Each and every incident at PushMetrics goes through the same rigorous internal incident management process. This allows us to ensure no stone is left unturned and the root cause of the incident is resolved. The process also describes how to escalate and communicate these incidents to the different parties involved.

Asset Management

We maintain and regularly update an internal Threat Model of our infrastructure, assets, and application. We define the type of data and risk that each component is exposed to and how we protect these. This help us in segregating our infrastructure and maintaining a minimum access policy approach.

Operational Security

Backups

PushMetrics's infrastructure is built on top of Amazon AWS and we use their services to generate daily backups for our database that are then retained for up to 30 days. To ensure data recovery process is working as intended, we execute data recovery exercises regularly.

Risk Management

We perform periodic risk analysis and assessments to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.

Security Vulnerability Disclosure

We always appreciate when PushMetrics users and security researchers contact us regarding security vulnerabilities. You can reach us at security@pushmetrics.io.