as of January 10th, 2019
Everysk Technologies Inc. is built using the most reliable and secure infrastructure on the web. Although no data transmission can be guaranteed to be 100% secure, we take reasonable steps to protect all customer’s data. In what follows we describe the security protocols at various levels: from our platform all the way to the data centers we use.
1. Platform Security:
Portfolio data stored on customer’s accounts is encrypted with Advanced Encryption Standard, AES-256. Decryption keys are stored on separate machines. Dashboard’s front-end is only served over HTTPS/TLS.
Passwords are verified for their strength when they are set for the first time or reset at a later date. reCAPTCHA is used to protect the account against spam.
Additionally, customers can enable an individual physical security key for strong 2-step verification using the FIDO Alliance U2F protocol.
Each API token is generated using a keyed-hash message authentication code (HMAC). Any subsequent API requests are verified for authenticity with the same strong HMAC. We never store the keys we generated but can still verify the authenticity of the API requests via its hash. Every API request and response are only served over HTTPS/TLS. Calls made over plain HTTP will fail.
All account activity is logged, including the IP and User Agent information. No user-sensitive information will ever be logged, only information that will enable Everysk to improve the system and user experience.
For example: when clients are uploading portfolios, there might be securities that are not properly mapped to our databases because of a symbol or exchange issue. We have designed logs that will automatically warn us only with the tickers that were not properly mapped. No quantities are ever provided in the logs. Thus, our knowledge of any customer’s portfolios is limited to a few securities at any time.
Everysk forces every request data traveling between a customer’s device and our servers to be encrypted and authenticated using HTTPS/TLS (Transport Layer Protocol) with a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with X25519), and a strong cipher (AES_128_GCM).
Upon request from our subscribers, we allow an IP whitelist to access our Platform and REST API. Upon request from subscribers we also allow TLS compliant email communications between our domain and client’s.
For our customers that pay subscriptions via credit card, we rely on a certified PCI Level 1 service provider for recurring payments, the most stringent level of certification available to protect payment cardholder data.
2. Server Security:
Our production servers run a custom-designed operating system (OS) based on a stripped-down and hardened version of Linux. Our cloud service provider runs health checks and applies all required security OS patches on a weekly basis. Furthermore, critical backwards compatible updates are automatically applied to the OS. All hard drives leverage technologies like FDE (full disk encryption) and drive locking, to protect data at rest. Our servers have no root SSH access.
Additional protective systems are also implemented, such as: a) Security Scanner for common vulnerabilities like cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS) and outdated libraries and; b) Denial of Service (DoS) protection Service designed for quantitative abuse prevention.
3. Network Security:
Data is most vulnerable to unauthorized access as it travels across the Internet or within networks. Because it’s linked to most ISPs in the world, our provider’s global network helps to improve the security of data in transit by limiting hops across the public Internet. Encrypted channels (using RSA 2048-bit certificate keys) between our private IP environment on premises and our provider’s network allows us to keep instances completely disconnected from the public internet while still reachable from our own private infrastructure.
4. Data Centers Security:
Our data center provider features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection.
Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are reviewed in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training.
Our Data Center provider is independently verified for security, privacy and compliance controls in the data centers, infrastructure and operations. Our provider has annual audits for the following standards: SSAE16/ISAE 3402 Type II, ISO 27001, ISO 27017, ISO 27018 and FedRamp ATO.