Security Policy

Last Updated: Sept 9, 2021

Introduction and overview

Our security strategy involves the following components

1. Organizational Security

We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

1. Employee background checks

   Each employee undergoes a process of background verification. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.

2. Security Awareness

   Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance.

   We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.

3. Dedicated Security and privacy teams

   We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.

2. Data Security

   1. Data Isolation

      Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.

      The service data is stored on our cloud servers (Situated in Europe) when you use our services. Your data is owned by you, and not by NEXTBYTE. We do not share this data with any third-party without your consent.

   2. Secure by design

      Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.

      Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection,Cross site scripting and application layer DOS attacks.

   3. Encryption

      In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Secure Sockets Layer (SSL) encryption with strong ciphers, for all connections including web access,API access, and IMAP/POP/SMTP email client access. This method is used for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing intruders from reading and modifying any information transferred, including potential personal details. The two systems can be a server and client or server to server.

3. Identity and Access Control

   1. Authentication

      Every user need to provide username and password (Login credentials) for authentication to login into the system. This add security layer to prevent access from unauthorized intruders. Authentication has been extended to API for all the integrations implement with other third parties partners.

   2. Multi-Factor Authentication

      NEXTBYTE platforms support multi-factor authentication which provides an extra layer of security by demanding an additional verification that user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised. You can easily configure multi-factor authentication on the setting of our app. Currently, OTP (One time password) via email and sms are supported.

   3. Administrative Access

      We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.

      Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.

4. Operational Security

   1. Backup

      We run full backups everyday of our clients’ database and files. Backup data are stored on production server then transferred into the backup server which is on other data center. All backed up data are retained for period of 7 days. If client requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.

      To ensure the safety of the backed-up data, we use a redundant array of independent disks (RAID) in the backup servers. All backups are scheduled and tracked regularly. In case of a failure, a re-run is initiated and is fixed immediately.

      From your end, we strongly recommend scheduling regular backups of your data by exporting them from the respective NEXTBYTE services and storing it locally in your infrastructure.

5. Customer controls for security

Here are the things that you as a customer can do to ensure security from your end:

1. Use multi-factor authentication.

2. Choose a unique, strong password and protect it.

3. Use the latest browser versions, mobile OS and updated mobile applications to ensure they are patched against vulnerabilities and to use latest security features

4. Exercise reasonable precautions while sharing data from our cloud environment.

5. Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account, and manage roles and privileges to your account.

6. Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your NEXTBYTE you trust.

Conclusion

Security of your data is your right and a never-ending mission of NEXTBYTE. We will continue to work hard to keep your data secure, like we always have.