<aside> ℹ️ This is a brief description of the steps CodeLeap takes to keep our client’s PII safe. Higher security needs may be applicable for specific applications.

</aside>

Access to data

  1. All of our staff may access to production user data for development purposes, as well as any third party tool needed for the development of the application:
    1. This is defined in Annex II of our standard development agreement
    2. Other than staff, this typically includes AWS, Sentry (for error logging), Firebase (to manage user tokens) and others depending on your platform’s needs, such as analytics, etc…

Infrastructure

  1. Production servers are set up in secure AWS environments and can only be accessed via API using HTTPS with a valid user token
  2. We avoid managing very sensitive data such as passwords by keeping them in a third party service such as Firebase

Credentials

  1. All staff is required to follow strict security guidelines that include:
    1. Using a password manager (1Password)
    2. Setting up 2FA whenever available
  2. All production credentials are randomly generated and kept in password manager, including:
    1. Database and other sensitive environment variables
    2. Administrative panel users
    3. Root AWS account access (plus 2FA)

Incident procedures

There are the procedures we will take in case any sensitive information is compromised:

  1. If any credentials are misplaced internally (ie. someone committed or sent sensitive credentials through private but improper means):
    1. Invalidate and change credentials
  2. If any credential is suspected to have leaked externally:
    1. Immediately change or invalidate credentials
    2. Inform client of potential data leak so a joint assessment can be made
    3. Assess whether any PII have potentially been compromised and what is the extent of it
  3. If any PII is known to have been compromised:
    1. Immediately change or invalidate credentials that gave access to initial data leak
    2. Potentially temporarily suspend access to leaked platform
    3. Inform client of leak so a joint assessment can be made
    4. Assess to what extent the data has been compromised
    5. Inform stakeholders
    6. Inform authorities