<aside>
ℹ️ This is a brief description of the steps CodeLeap takes to keep our client’s PII safe. Higher security needs may be applicable for specific applications.
</aside>
Access to data
- All of our staff may access to production user data for development purposes, as well as any third party tool needed for the development of the application:
- This is defined in Annex II of our standard development agreement
- Other than staff, this typically includes AWS, Sentry (for error logging), Firebase (to manage user tokens) and others depending on your platform’s needs, such as analytics, etc…
Infrastructure
- Production servers are set up in secure AWS environments and can only be accessed via API using HTTPS with a valid user token
- We avoid managing very sensitive data such as passwords by keeping them in a third party service such as Firebase
Credentials
- All staff is required to follow strict security guidelines that include:
- Using a password manager (1Password)
- Setting up 2FA whenever available
- All production credentials are randomly generated and kept in password manager, including:
- Database and other sensitive environment variables
- Administrative panel users
- Root AWS account access (plus 2FA)
Incident procedures
There are the procedures we will take in case any sensitive information is compromised:
- If any credentials are misplaced internally (ie. someone committed or sent sensitive credentials through private but improper means):
- Invalidate and change credentials
- If any credential is suspected to have leaked externally:
- Immediately change or invalidate credentials
- Inform client of potential data leak so a joint assessment can be made
- Assess whether any PII have potentially been compromised and what is the extent of it
- If any PII is known to have been compromised:
- Immediately change or invalidate credentials that gave access to initial data leak
- Potentially temporarily suspend access to leaked platform
- Inform client of leak so a joint assessment can be made
- Assess to what extent the data has been compromised
- Inform stakeholders
- Inform authorities