Security at SROP

Platform and Network Security

Every change to the platform and our infrastructure goes through system controls that require peer reviews and secure identity authentication. On top of that we also:

  • Test all services in an automated manner with an achieved test coverage of above 95%.

  • Daily automated vulnerability scans on our public API and systems.

  • Automated controls to keep our platform dependencies and infrastructure updated.

Encrypted During Transit and Storage

  • All of our data are stored encrypted.

  • Data encryption uses a minimum of a 256 bit key.

  • Each company has their own encryption key (no shared keys).

  • All encryption keys are stored on specialized hardware (AWS KMS).

  • All transfer of data is performed over HTTPS (TLS >= 1.2) with no less than a 2,048 bit key.

Storage of Secrets

  • All secrets are stored using AES256 symmetric encryption.

  • All secrets are stored into separate physical databases with stricter access controls.

  • Keys for encrypting and decrypting are stored on AWS KMS.

  • When a password is provided it is mixed into the encryption key.

Data Retention & Disaster Recovery

  • Backup of Secrets, “secret requests” and other sensitive objects are on a 1 day retention due to their sensitive nature.

  • Backup retention of the platform is 30 days.

  • Customer and Audit log data are destroyed after 10 days from account deletion.

  • Dissaster Recovery scenarios are exercised quarterly and runbooks are updated or created as needed.

Compliance & Governance

  • All the data centres SROP uses are readily compliant with ISO27001, SOC-1,2,3 PCI-DSS L1 and more.

  • SROP is in the process of getting ISO27001 certified.