Security Policies & Procedures
Databook offers financial analysis of the largest companies in the world. Users leverage the Databook platform by linking their CRM accounts to improve the user experience, allowing for quick imports of accounts and ongoing updates without having to login again. Users might also pay for their subscriptions online using their credit cards.
Databook takes security procedures very seriously and is committed to creating the most robust and secure platform for its users.
Databook’s payment processing is handled by Chargebee, a PCI-DSS Level 1 Service Provider. Payment details are securely stored on Stripe, which has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. No payment data is ever stored on Databook’s databases and the actual credit card information is tokenized through Stripe, never passing through our web servers.
Vulnerability Scanning & Patching
We periodically check and apply patches for third party services and software dependencies. Found vulnerabilities are patched instantly. Dependencies that cannot be patched are replaced with newer versions or different packages. Security is a big concern when selecting third party services or software.
Web and Mobile Application Security
Databook applications follow the latest security standards, including protection for OWASP Top 10 among many other types of attacks.
- Secure Access. Databook servers can be accessed only via HTTPS. We use industry standard encryption for data flowing to and from the application servers.
- CSRF protection. All requests are checked for CSRF token before processing to prevent the execution of unwanted actions on the Databook API.
- SQL Injection blocking.
- XSS protection. All user inputs are properly encoded to ensure XSS vulnerabilities are avoided.
- Encrypted Data Storage. We do not store any payment details. Keys for various third party services are stored in encrypted form.
- Dedicated certificates.
Databook’s physical infrastructure is managed by Heroku and hosted within Amazon’s secure data centers (AWS). AWS continually undergoes assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
- ISO 27001
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX) (Salesforce)
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
Several procedures have been setup at the network level including the following:
- DDoS mitigation. Managed by Cloudflare, who provides advanced DDoS protection at the network edge to mitigate attacks.
- Spoofing and sniffing protections. Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible.
- Port scanning. Scans are detected, blocked and logged for further investigation.
- Rate limiting. To prevent abuse or attempts to find vulnerabilities. Special attention is taken towards requests that generate client or server errors.
Data Storage & Redundancy
Data is stored in redundant locations and is continuously backed up to prevent any data loss. Database servers can only be accesses through encrypted channels and all operations are logged.
If you have any questions regarding our security policies and procedures, please contact us via email at firstname.lastname@example.org.