As you may have noticed, Backrightup security is at the forefront on priorities for the organisation. Nothing is more important for us to deliver than safe and secure practices in dealing with customer data and backups. The following document outlines these practices. Please feel free to reach out should you require more discussion or information
Two-factor authentication (2FA) is employed across all applications used by the organization and mandated for use, where possible, for all employees.
All Backrightup employees receive specific security training on all environments and infrastructure management including coding practices, security policies, and deployment processes. Employees required to receive 100% pass-rate in order to be granted access to the system.
Backrightup, as a company policy, will do background checks on all applicants prior to employment. On termination, Backrightup's automatic single sign-on system immediately revokes all privileges and updates all relevant credentials.
Internal systems containing direct customer data are only accessible over a private VPN. A "least privilege" model is applied which assigns the least amount of access an employee requires to perform their job duties.
We use the latest version of Microsoft .NET Core (3.1 as at 3 January 2021) for the development of all website and backup features. .NET Core is built on the foundations of .NET Framework which includes many “out of the box” security benefits (encrypted cookies, DB queries via LINQ, sql injection attacks and strong parameters).
Due to the continuous penetration testing done by ethical hackers on Backrightup, we now offer the same degree of encryption most employed by banking and financial institutions. We use industry standard HTTPS, 256-bit SSL, and AES. All databases are encrypted at rest and in transit. For credentials, all secrets are stored in an encrypted and access-restricted database. Third parties can neither view nor access our network. All data at rest in our databases, cache services, or other data stores is encrypted using standard Azure encryption mechanisms – typically AES 256.
We only use Microsoft Azure to host and run Backrightup. In the case that a customer requires backups to another service, we will offer back to those services which do not necessary include Azure only
Credentials to access external services such as Azure Devops and other such services are stored encrypted in a secret vault not contained in the web app itself. Standard practice as per Microsoft recommendations. For sensitive data like platform access tokens, we encrypt these with a second key within separate vaults. This requires applications and humans that can query the database to decrypt the access keys in order to communicate with a platform. The key itself is stored encrypted and only accessible by applications that require it.
Backrightup requires users to be authenticated in order to gain access. Backrightup currently supports Microsoft and Google OAuth authentication to the main web application. Tokens are therefore not stored in our applications or associated databases. User tokens are encrypted in transit and at rest and expire in minutes.
Backrightup uses an automated penetration testing tool that helps us stay on top of threats. This tool works closely with the ethical hacking community to turn the latest security findings into vulnerability tests. Backrightup in turn benefits from the latest security research and tests the core web application for over 5000 new and common vulnerabilities.
For those customers NOT on manual plans, payments are captured and stored securely by Stripe, the leading payment processing service audited by a PCI-certified author. The certification level of Stripe is PCI Service Provider Level 1, which is the most stringent standard in the payments industry. In addition, for all services, All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services. Decryption keys are stored on separate machines. More information is available about Stripe security and privacy here.
Azure is composed of a globally distributed datacenter infrastructure, supporting thousands of online services and spanning more than 100 highly secure facilities worldwide. Backrightup gives you the option of hosting your backups in the location of your choosing across selected datacenters offered by Azure. More on Azure physical security can be read here
For data in transit across the network, all communication takes place using HTTPS. The Backrightup certificate is a 2048 bit key size on all of our endpoints and certificates are rotated yearly.