Information Security Policy

Version: 1.1

Date: 2024-12-04

Email: [email protected]

Introduction

At GearTracker.net, we are committed to maintaining the confidentiality, integrity, and availability of our SaaS platform, which supports the management and inspection of your equipment. This cybersecurity policy outlines the technical and organizational measures we implement to secure our systems and data entrusted to us by our customers.

Scope

This policy applies to:

  • The GearTracker.net SaaS platform and infrastructure.
  • All data processed, including customer account data and uploaded inventory data.
  • Employees, subcontractors, and systems involved in platform development and operation.

Infrastructure & Hosting Security

Cloud Hosting

Our infrastructure is hosted on Heroku located in the European Union. It complies with the General Data Protection Regulation (GDPR), ensuring the privacy and protection of European Union customers’ personal data.

This hosting provider complies with ISO 27001, SOC 2, and GDPR standards.

Network Security

All network traffic is protected upstream by Cloudflare, which provides:

  • DDoS protection
  • Intelligent request filtering via its Web Application Firewall (WAF)
  • End-to-end encryption with TLS 1.2+ or higher It is ISO 27001:2013 certified and SOC 2 Type II compliant.

Our production environments are hosted on Heroku (Salesforce Platform).

Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Access to production systems is strictly controlled:

  • Only via encrypted connections
  • Limited to authorized accounts using multi-factor authentication (MFA)
  • Based on the principle of least privilege

Backup and Recovery

We implement the following backup and recovery measures:

  • Daily backups of all critical systems and databases.
  • Backups encrypted and stored in geographically redundant locations.
  • Regular restoration tests performed to ensure backup integrity.

Application Security

General Security Requirements

We follow the OWASP ASVS Level 2 security requirements (https://owasp.org/www-project-application-security-verification-standard/) for the development of our applications.

Development Best Practices

Developed in TypeScript (Strict Mode) with a modern stack: React (frontend), NestJS (backend), Prisma ORM. Code reviews required for all merges to production. All code is stored in a private GitHub repository. Automated testing (unit and integration tests) for all critical features. Dependencies scanned regularly for vulnerabilities using npm audit.

Secure Coding Practices

Adherence to OWASP Top Ten guidelines and level 2. Input validation and sanitization for all user inputs. Use of prepared statements and ORM to prevent SQL injection. Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) protections implemented.

Vulnerability Management

Security patches are applied within 24 hours for critical vulnerabilities. Capability to deploy prepared hotfixes to production within 5 minutes whithout downtime.

Authentication & Authorization

  • Google OAuth 2.0 / token based stateless auth (JWT) for user authentication.
  • Role-Based Access Control (RBAC) to restrict feature access.

Data Protection & Privacy

Encryption

Sensitive data like passwords stored using using AES-256 and salt.

GDPR Compliance

Please refer to the Privacy and Personal Data Protection Policy for details on how we handle personal data.

Access Management

Principle of least privilege applied across the organization.

  • All administrative access is logged and monitored.
  • Access to production systems is limited to authorized personnel only.
  • All employees and contractors undergo background checks before being granted access to sensitive systems.

Device Management

All devices used to access production systems and/or critical data are managed and secured.

  • They have a password or biometric lock enabled.
  • They resquire 2FA authentication to access production systems.

Monitoring & Incident Response

Monitoring

24/7 realtime monitoring of infrastructure and application performance. Alerts configured for suspicious activity, usage anomalies, and performance degradation.

Incident Response Plan

Defined and tested Incident Response Procedure (IRP). Customers notified within 24 hours of any breach affecting their data. Dedicated email: [email protected] for incident reporting.

Client Device Compromise

We do not manage the devices used by clients to access the application. We recommend that all clients secure their devices (PCs, smartphones, tablets) by using password or biometric locking systems, as well as up-to-date antivirus software.

We have the ability to disable a user account in the event of a client device compromise. We also recommend changing the password of the affected user account.

Physical Security

Our primary infrastructure provider maintains:

  • 24/7 monitored data centers.
  • Biometric access controls.
  • Fire suppression and redundant power systems.

For additional information see: https://aws.amazon.com/security

Continuous Improvement

We continuously review and improve our cybersecurity posture:

  • Annual reviews of this policy.
  • Feedback from customers and audits is integrated into our roadmap.

Contact & Responsible Disclosure

All geartracker.net employees are trained in security awareness and best practices. We encourage responsible disclosure of security vulnerabilities internally and externally. We welcome the reporting of security vulnerabilities: [email protected] .

Risk Management

We have implemented a risk management process to identify, assess, and mitigate risks related to information security.
We conduct regular risk assessments to identify potential threats and vulnerabilities in our infrastructure and applications.
We implement appropriate mitigation measures to reduce identified risks to an acceptable level.
We maintain the following documents and their related processes:

  • Information Security Policy (this document)
  • Risk & Opportunities Register (internal)
  • Incident Response Plan (IRP, internal)
  • Business Continuity Plan (BCP, internal)