Securing Your Digital Journey: The Cornerstones of Federa's Data Security
Organizational Security at Federa
We maintain a rigorous Information Security Management System (ISMS) that reflects our security objectives while identifying and addressing the potential risks and mitigations relevant to all stakeholders. Our comprehensive policies and procedures prioritize the security, availability, processing, integrity, and confidentiality of user data.
Employee Background Verification
Every employee is subject to a meticulous background check. We entrust this task to reputed third-party agencies to verify potential criminal records, previous employment history, and educational qualifications. Until this verification is completed, employees are not assigned tasks that could potentially risk user data security.
Promoting Security Awareness
Upon induction, every employee is required to sign a confidentiality agreement and acceptable use policy. Subsequently, they undergo comprehensive training in information security, privacy, and compliance. We evaluate their understanding through tests and quizzes to identify areas necessitating further instruction. Specific aspects of security training are also provided, based on their roles.
Our internal community provides continuous education to our employees on information security, privacy, and compliance. This platform ensures they stay abreast of Federa's security practices. Furthermore, we host internal events to foster awareness and stimulate innovation in the domains of security and privacy.
Dedicated Security and Privacy Teams
Our organization features dedicated security and privacy teams responsible for implementing and managing our security and privacy programs. These teams design and maintain our defense systems, formulate security review processes, and continuously monitor our networks for any suspicious activities. They also provide domain-specific consulting services and guidance to our engineering teams.
Compliance and Internal Audit
Our specialized compliance team reviews Federa's procedures and policies to align them with industry standards. They also identify the necessary controls, processes, and systems required to meet these standards. This team conducts periodic internal audits and facilitates independent audits and assessments by third-party organizations.
Endpoint Security
All workstations issued to Federa's employees operate on the latest OS version and are equipped with anti-virus software. These workstations are configured to comply with our security standards, which mandate proper configuration, regular patching, and tracking and monitoring through our endpoint management solutions. These workstations are secure by default, configured to encrypt data at rest, require strong passwords, and lock when idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they adhere to our security standards.
Infrastructure Security at Federa
Network Security
Our network security practices incorporate multi-layered protective mechanisms. We utilize firewalls to block unauthorized access and unwanted traffic to our network. Our systems are divided into distinct networks to secure sensitive data. Development and testing systems are hosted separately from Federa's primary production infrastructure.
Regular reviews are conducted for firewall access with a dedicated network engineer reviewing all firewall modifications daily. Biannual reviews ensure that our rules remain up-to-date. Our dedicated Network Operations Center team continually scrutinizes infrastructure and applications for any discrepancies or suspicious activities. Using our proprietary tool, crucial parameters are continuously monitored, and alerts are triggered in case of any abnormal or suspicious activities.
Network Redundancy
All elements of our platform are redundant, implemented through a distributed grid architecture. This structure shields our services from potential server failures, ensuring uninterrupted user access. We also deploy multiple switches, routers, and security gateways for device-level redundancy, thereby eliminating single-point failures in the internal network.
DDoS Prevention
We employ advanced technologies from reliable service providers to mitigate DDoS attacks. These tools offer several DDoS prevention capabilities to filter out malicious traffic while permitting legitimate traffic, thereby ensuring the high availability and performance of our websites, applications, and APIs.
Server Hardening
All servers allocated for development and testing are hardened—unused ports and accounts are disabled, default passwords are removed, and more. The base Operating System (OS) image integrates server hardening measures, promoting consistency across servers when provisioned.
Intrusion Detection and Prevention
Our intrusion detection system observes host-based signals from individual devices and network-based signals from monitoring points within our servers. Activities such as administrative access, privileged command use, and system calls on all servers in our production network are logged. Security engineers are alerted of potential incidents through rules and machine learning algorithms. On the application level, our proprietary Web Application Firewall (WAF) operates based on both whitelist and blacklist rules.
At the Internet Service Providers (ISP) level, we implement a multi-layered security strategy, encompassing scrubbing, network routing, rate limiting, and filtering, to handle attacks from the network to the application layer. This system ensures clean traffic, dependable proxy service, and prompt reporting of any potential attacks.
Data Security at Federa
Secure by Design
All alterations and new additions are controlled by a change management policy to validate application changes before deployment. Our Software Development Life Cycle (SDLC) requires compliance with secure coding guidelines and scanning code changes for potential security concerns using our suite of code analyser tools, vulnerability scanners, and manual review processes.
Our robust security infrastructure, based on OWASP standards, mitigates threats like SQL injection, Cross-site scripting, and application layer DOS attacks.
Encryption
In transit: All user data transferred to our servers over public networks is safeguarded using robust encryption protocols. We mandate all server connections to use Transport Layer Security (TLS 1.2/1.3) encryption, applicable for web access, API access, mobile apps, and IMAP/POP/SMTP email client access. Our services leverage opportunistic TLS by default for email, which encrypts and securely delivers email, preventing eavesdropping between mail servers.
We fully support Perfect Forward Secrecy (PFS) with our encrypted connections, safeguarding past communications even if a future compromise occurs. HTTP Strict Transport Security header (HSTS) is enabled for all web connections, ensuring modern browsers connect only via an encrypted connection. All our authentication cookies on the web are flagged as secure.
At rest: User data at rest is encrypted using the 256-bit Advanced Encryption Standard (AES). The data encrypted at rest depends on the services you choose. We manage and maintain the keys using our in-house Key Management Service (KMS). We bolster security by encrypting data encryption keys using master keys, which are physically separated and stored in different servers with limited access.
Data Retention and Disposal
We store data in your account as long as you use Federa Services. Once you terminate your Federa user account, your data will be deleted from the active database during the next scheduled clean-up, every six months. Data deleted from the active database will be removed from backups after three months. If your unpaid account remains inactive for a continuous 120-day period, we reserve the right to terminate it after providing prior notice and an option to back up your data.
We entrust the disposal of unusable devices to a verified and authorized vendor. Until such time, these devices are stored securely. Prior to disposal, we format any contained information. Failed hard drives are degaussed and physically destroyed using a shredder. Failed Solid State Devices (SSDs) undergo a crypto-erase and shredding process.
Vendor and Third-party Supplier Management at Federa
At Federa, we assess and qualify our vendors according to our rigorous vendor management policy. Before onboarding new vendors, we make a comprehensive study of their service delivery processes and perform risk assessments. We take meticulous steps to ensure our security posture is maintained by setting up agreements that necessitate vendors to comply with confidentiality, availability, and integrity commitments we have made to our users. We keep a vigilant eye on the effective operation of the vendors' processes and security measures by conducting regular reviews of their controls.
Conclusion
Ensuring the security of your data is both a fundamental right and a perpetual mission here at Federa. As we have always done, we will continue to diligently work to safeguard your data.
Note: The Federa security measures discussed above are subject to change without prior notice. They do not represent any form of commitment or agreement from Federa.
