Network Security
Since #NotMe is a cloud-based and mobile solution, cloud security at #NotMe is a critical issue. We make sure to divide our servers into separate networks, locations, and continents. All our private networks are hardened, avoiding any unnecessary access being allowed. For example, unused ports are closed or restricted, passwords are regularly changed and never left to default, etc…
Our production servers network is restricted, allowing only necessary ports to be open to the public.
Protection against Denial-Of-Service attacks (DDoS) has been deployed to our production servers.
Access to development and testing networks is restricted and not available to the public.
#NotMe makes sure to provide the latest secure security protocols provided by cloud platforms, including for the management of the network.
Encryption
Data encryption is essential to assure the security of employee and employer’s information. We created our platform using the latest industry standards in terms of security.
In transit
All information transiting between #NotMe’s services and clients is encrypted in transit using the latest recommended secure encryption protocols including SSL/TLS protocols and AES encryption.
At rest
Data stored in #NotMe’s production services are always encrypted using the industry-standard AES-256 encryption algorithm. This applies to all types of data including files, backups, databases, etc… The encryption keys are only provided to a limited group of people and stored in a secure emplacement. The creation, access, and deletion of these keys are properly secured.
Authentication and access
Privileges
Each #NotMe employee has its own set of privileges for data access. This access is provided on a least privilege basis, which means that an employee will only have some privileges allowed instead of revoking most of them. Regarding subscriber access, our current privilege levels are HR admin, manager, employee.
Authentication
Each employee can create their own account through our app. Employers are given access to the dashboard by a #NotMe representative. A secure link is provided by email to set a password. Passwords are never stored in clear text and always hashed and salted, enforcing security in case of a data breach. We enforce multi-factor authentication to access all systems with sensitive information, including our production systems. For compatible operations, our company uses public-private key pair in addition to password authentication for example. This allows providing the user a more secure way to access a service and to reduce the risk of unauthorized access to any sensitive data.
Vulnerability assessment
Vulnerability assessment is a subject we take very seriously at #NotMe. It is an increasingly important topic, especially for SaaS (Software-as-a-Service) providers like us. Pursuant to the ISO 29147 standard – for responding to reports of such issues and for managing the public disclosure of information pertaining to them, and to avoid unnecessary risks to the providers, customers and users of our service, we’ve set up a process to address instances in which security issues are found by external parties. Potential vulnerabilities can be signaled to our Security team via the #NotMe HackerOne program.
Our Security team will investigate and dispatch each vulnerability report to the appropriate team, for further investigation. The vulnerability will be acknowledged and the team will work on assessing its severity. Depending on the latter, the issue will be resolved immediately or in a future release of our products.
Our team makes every effort to give credit for the responsible disclosure of a vulnerability and to encourage continued responsible reporting in the future.
Penetration test
NotMe carries pen tests regularly, its next one is planned for this Summer.
Hosting and services
Cloud Platform and third-party services
All #NotMe services are hosted in data centers maintained by industry-leading cloud platforms, offering state-of-the-art physical protection for the servers and infrastructure. These platforms are proven secure, reliable and certified with ISO 27001, SOC 1/SSAE 1, etc…
Before subscribing to a service or using an Open-Source solution, we make sure to assess risks related to the operation both in the present and in the future. Dependencies are either automatically scanned for security vulnerabilities or reviewed quarterly. We also make sure to keep our servers up-to-date with the latest security patches available.
The #NotMe servers are with AWS and are located in both Europe and in the US.
Monitoring, logging, and bug tracking
#NotMe has set up different processes to monitor and assure proper logging for its infrastructure. Any access to production systems, use of privileged commands and more are logged and saved. Logs are analyzed to detect any potential breach or issue. This analysis will alert us about bugs or unauthorized access to our servers and is only accessible by designated employees.
Data retention, disposal, and backup
#NotMe makes sure to hard delete within 14 days all information related to an employee if this one asks. Data removal can be requested through the #NotMe app or by email to [email protected].
Cloud hosting platforms are responsible for securely clearing data from disks before providing these to other customers. #NotMe makes sure to erase any sensible data and follow the platform procedures when removing a disk volume from the infrastructure.
Disaster recovery
Infrastructure issue #NotMe has taken advantage of the services provided by its cloud hosting platform to make sure that production servers are still running in case of an issue with one of the servers. Fallback procedures are ready for issues with any part of the production network (server, database, workers, etc…). Our deployment process makes it quick and easy to replace any part of our infrastructure.
All production transactions are replicated between all #NotMe servers in the same geographic location, allowing us to minimize downtime and data loss in case of an incident.
All production servers are backed up at least once per day in a remote location. These backups are regularly tested to make sure they can be restored.
Security incident response
#NotMe has created specific response procedures for potential threats and/or incidents. These explain how to manage the events that might happen and the steps to follow. In the case of a data incident, we make sure to inform the affected users by email.
If you have any questions or concerns about #NotMe security and/or privacy policy, please reach out to us through our contact form or by email to [email protected].
ISO 27001 REPORT
NotMe Solutions Inc. utilizes enterprise-grade best practices to protect our customers’ data. We’re currently in the process of pursuing our ISO 27001 Certification. NotMe Solutions Inc. has built a thorough ISMS that includes the following:
Continuous Security Control Monitoring
NotMe Solutions Inc. uses Drata’s automation platform to continuously monitor 100+ internal security controls across the organization against the highest possible standards. Automated alerts and evidence collection allows NotMe Solutions Inc. to confidently prove its security and compliance posture any day of the year, while fostering a security-first mindset and culture of compliance across the organization.
Employee Trainings
Security is a company-wide endeavor. All employees complete an annual security training program and employ best practices when handling customer data.
Secure Software Development
NotMe Solutions Inc. utilizes a variety of manual and automatic data security and vulnerability checks throughout the software development lifecycle.
Data Encryption
Data is encrypted both in-transit using TLS and at rest.
Internal Audit Program
Internal Audits are conducted annually by personnel who are independent and competent, as defined by the ISO standard.
Vulnerability Disclosure Program
If you believe you’ve discovered issues in NotMe Solutions Inc.’s security, please get in touch at [email protected]. Our security team promptly investigates all reported issues.
Risk Management Program
NotMe Solutions Inc. conducts a Risk Assessment annually that results in the creation of Risk Treatment Plans which lay the foundation for overall risk reduction and continuous improvement of the security program.
