Information Security Policy
Information security policy
Overview of the service
The company provides a hosted Software as a Service product which allows user contributed content to be solicited, moderated and published to public websites. The service is offered to client organisations (clients).
Members of the public (end users) submit contributions (text, images and videos) via public websites and mobile apps to a specific client's instance of the system. These contributions are reviewed by members of the client's staff (moderators) before been made public.
The vast majority of the system's contents is intended for public display. The end user's expectation is that their submissions are intended for eventual public display but their personal details, contact details and the correspondence with the moderators should not be made public.
The end user's contact details may be disclosed to the client's staff to assist with verification.
It's is envisioned that end users have a relationship with clients rather than the company itself.
Protected user data
The following data held in the system is not intended for public disclosure:
Original, unreviewed original submissions received from end users
Raw submissions may contain the following potentially sensitive information:
- Media file metadata. Potentially sensitive location information may be contained in original files submitted by the user. Original media files must not be made public. Metadata must be stripped from any approved submissions published from the system.
- Connection metadata. The IP address which the submission was received from. If this information was made public it could potentially be used by 3rd parties to identify an end user.
- User supplied contact details. The user may have supplied their real name and contact details in their original submission. These should not be made public. A publicly visible user id and display name of the users choosing is allowed to be displayed.
Internal moderation work flow
The system records the internal moderation workflow leading up to a submission been approved or rejected. This history includes text moderation notes applied by moderators and the internal email addresses of the individual moderators. Details of correspondence between the end user and moderators may also be held in the system.
Client and social media supplied contact details for end users
The system allows users to identify themselves via a client's identity system or via 3rd party social media accounts (such as Facebook and Twitter). In this case the system may display the 3rd party user id publicly.
Contact details (including real name and email address) may be retrieved from the 3rd party system. The 3rd party credientials required to do this may be persisted within the system. The retrieved 3rd party contact details may not be permentatly persisted in the system
Software development methodology
The company's core product is a hosted software system. The core component is an Internet accessible API. To function, this API must be assessible over the public Internet.
Approved submissions and public data are accessible over HTTP with no credentials. Access to private data (such as unapproved submissions and moderation functions) requires API requests to be authenticated. Authenticated requests must be made over HTTPS. Access to authenticated resources is not permitted over unencrypted HTTP.
Software developers working on the system are aware of the OWASP guidelines.
New releases of the software must pass a series of automated acceptance tests in a development environment before being released to production. These tests include regression tests around access control and the visiblity of protected resources. The development system is regularly subjected to scans from an automated integrated penetration testing tool. These scans are periodically performed on the live system.
The application and data are stored on Contribly servers, Amazon EC2 and Google Cloud.
The live system components and persisted user data reside in the Amazon EC2 EU-WEST-1 region (Republic of Ireland) and the Google Cloud EUROPE-WEST2 region.
An encrypted backup of the user data is on Amazon EC2 EU-WEST-1 region servers.
All staff and contractors (excluding suppliers) involved in the day to day operation of the system are located in Europe.
All persisted user data is held with the European Economic Area (EEA) EEA.
Network access to data
HTTP, HTTPS and WS (Websockets) are the the only services publicly exposed by the system.
Operations staff have secure shell access to all nodes of the production environment via a trusted jump off machine. Operations staff have access to the production environment via the EC2 console. No unencrypted shell connections to live systems are permitted.
The following restrictions are placed on access to production systems and data:
- Production ssh keys must be pass phase protected and are not permitted on portable devices unless full disk encyrtption is implemented on those devices.
- All access to the EC2 console must be via a 2FA enabled account.
- Production snapshots are not permitted be loaded into development environments.
- Snapshots of the production database may be stored offline for backup proposes but must be encrypted before leaving the production environment.
The decryption keys for these backup files are not stored on a network connected machine.