Security
Security culture
In Webdox, we are aware of how sensitive the information we process is. Therefore, we make sure our Security roadmap is more strict every year by having external audits conducted by prestigious entities in the market implementing new standards and protection control so that your experience with Webdox is as reliable as possible.
- Webdox is ISO 27001 certified by A-LIGN.
- Since 2019 we have had an Information Security Management System defined by ISO 27001 for technological and operational systems and processes.
- Each member of Webdox receives security training and follows confidentiality contracts, following the security policies required to perform their functions.
Compliance
Compliance with different regulations of each area and country has guided us to provide a customized service regarding the company's technical and legal requirements. Webdox has implemented a Privacy Policy that details how we process your personal data. We also measure its impact in our risk assessment. We report it to all our clients to inform them of the status of their sensitive data.
- Webdox aims to be certified in 2021 under the ISO 27701 standard (Privacy and Protection of Personal Data) and ISO 27018 (security controls for personal processing data from the cloud).
- Through this, Webdox seeks to comply with the current regulations of each country, corresponding to Privacy and Protection of Personal Data, such as the GDPR (General Data Protection Regulation) in Europe and the LGPD (General Law of Protection of Personal Data) in Brazil.
Robust Architecture
A great strategic partner backs effective solutions. Google Cloud Platform, jointly with other prestigious partners, provides us with all the security functionalities required by the market.
- Webdox is a Google Cloud Partner. Infrastructure and security are a legacy from Google services with high availability in all layers.
- Cloudflare, Gitlab, and HackerOne are some of the services we use to create and improve Webdox.
- Systems designed for a service level objective (SLO) of 99.99% and service level agreements (SLAs) are tailored, generally at 99.5%.
- Backups run every 24 hours with 30-day retention, and failover replicas are activated, improving High Availability.
- Disaster Recovery Planning (DRP) with RTO (Recovery Time Objective) of 1 hour and RPO (Recovery Point Objective) of up to 24 hours.
- All metadata at rest is encrypted using AES 256.
- All metadata in transit is encrypted using TLS 1.2 or 1.3.
- Webdox has tools for monitoring and generating alarms in the event of unusual events.
Secure Development
Webdox allows integrating a series of security features with your technological infrastructure at the application level. If technical support is required, we have a team of specialists who will reply to your questions. Today we rely on the good practices provided by OWASP (Top Ten) to deal with the most systematic risks, and we also work directly with ethical hackers aiming for the continuous improvement of the application.
- User session parameter configuration Idle time, session duration, password format.
- The perimeter access management can be configured, via IP addresses, from where someone can and can't log in.
- Mechanisms of Single Sign-On through SAML V2.
- OAUTH integration through API and APP provides robustness in the integrations that may be generated.
- A second factor of authentication.
- Roles assigned to users can control access and permissions.
- Audit logs with all actions generated by users.
- DevSecOps throughout the development cycle.
- Identification of each internal process (UUID), thus enabling better functioning and auditing of the platform.
Monitoring and Deployment
At Webdox, we work hard in the discovery of new vulnerabilities and their treatment. That is why we have the recurrent and specialized service of Unitti for Pentesting and Ethical Hacking tests, working together to resolve the findings evidenced. This test will allow us to continue strengthening our service to the most demanding levels in the market.
Additionally, our Technology and Security team annually plans backup recovery tests to guarantee operational continuity times. These tests have a complementary Disaster Recovery Planning (DRP) for each critical system. Together with the internal and external audits scheduled during the year, feed our continuous improvement process at both the process and Webdox product.
Additionally, our Technology and Security team annually plans backup recovery tests to guarantee operational continuity times. These tests have a complementary Disaster Recovery Planning (DRP) for each critical system. Together with the internal and external audits scheduled during the year, feed our continuous improvement process at both the process and Webdox product.