Security

Summary

42Layers understands that its products must meet the highest standards for security and privacy. To achieve this, 42Layers has established oversight and policy structures that identify and mitigate potential risks during development and service delivery. 42Layers has developed comprehensive and rigorous software security assurance processes and procedures that ensure and demonstrate the integrity of its products and address potential vulnerabilities.

42Layers may engage with independent third parties to give customers greater assurance that multiple layers of protection have been put into place to secure data.

Contact [email protected] if you have any questions or comments.

Industry Standard Security Controls

Application Architecture Security

42Layers' application architecture is comprised of components that, combined, provide a secure foundation for the software solution. 42Layers utilizes Google Cloud Platform as its web security and web application firewall provider, serving as a critical line of defense against potential malicious activity.

Solution Infrastructure

Our infrastructure is developed primarily in the Rust Programming Language. This provides memory safety (like Java) while providing the performance of C/C++. Given that our infrastructure packs and unpacks customer data, this provides a foundational level of security against security issues like buffer overflows. High-risk data transformations are done inside Web Assembly sandboxes to provide additional security.

Application Password Policy

Passwords are stored with the user identity in the control database. All passwords are stored as salted BCrypt hashes in accordance with OWASP’s recommendation for keyed functions.

Customers also have the option of utilizing SSO via SAML. In this scenario, a user’s password is stored in the customer’s identity provider (IdP) and not in the control database.

Communications Security

User access to the application is always via HTTPS, where we support TLS v1.2 or above. All access to our infrastructure is via HTTPS or SSH with key based two factor authentication

Data Backup and Business Continuity Management

Backups for cloud-hosted implementations are managed, performed, and tested by the Google Cloud Platform. Offsite backups are maintained with a best-effort 1 hour Recovery Point Objective.

To ensure business continuity for our provided services, 42Layers maintains a business continuity plan and holds annual technical and tabletop tests. For Google Cloud zonal failures, 42Layers has real time failover. For Google Cloud regional and multi-regional failures, 42Layers' Recovery Point Objective is 8 hours, while Recovery Time Objective (RTO) is 48 hours.

Data Encryption

All data, both in transit and at rest, is encrypted utilizing the 256 key bit Advanced Encryption Standard (AES).

All key management is implemented within Google Secret Manager.

Intellectual Property Rights and Data Usage

42Layers customers own their data, and we commit to keeping customer data strictly confidential. Data stored or accessed by 42Layers is only stored/accessed for the purposes of providing services 42Layers is contracted to provide.

If customers delete their data, 42Layers commits to deleting it from our systems within 30 days. 42Layers enables data portability so customers can have access to their data if they choose to stop using our services, without penalty or additional cost imposed by 42Layers.

Permissions

42Layers institutes role-based access and permissions across the entire organization. When designing roles, 42Layers follows the “Principle of Least Privilege” framework to ensure only appropriate users have access to sensitive information for the purpose of the task at hand.

Penetration and Vulnerability Testing

42Layers conducts penetration testing annually through the use of external third parties. The scope for any penetration testing engagement includes the primary web application, internal and external testing of the underlying architecture/infrastructure, and all associated API endpoints.

42Layers also has a robust vulnerability management program that utilizes the same scope as outlined for penetration testing on an ongoing basis. Automated vulnerability scanning is conducted at a regular cadence (both authenticated and unauthenticated) and operations teams work closely together to review potential risks, mitigate those risks, and reduce the attack surface across the organization.

Production Access

No resources are shared between the production environment and environments where development, quality assurance, and integration testing occur. Production access is limited to the deployment and on-call engineers, and strict audit access control is in place to ensure compliance. All production access is via a different channel than user access.

Privacy & Compliance

42Layers Company complies with all applicable privacy and data protection laws, including GDPR and CCPA. To safeguard customer privacy in accordance with the applicable regulatory frameworks, 42Layers has implemented appropriate measures to meet legal and regulatory requirements and continuously makes improvements based on regulatory changes.

42Layers is hosted on Google Cloud Platform. Physical and environmental security is handled entirely by our cloud service providers. Each of our cloud service providers provides an extensive list of compliance and regulatory assurances, including SOC 1/2-3, PCI-DSS, and ISO27001. See the Google Cloud Platform compliance, security, and data center security documentation for more detailed information.

In addition, 42Layers undergoes independent SOC2 audit annually and this report is made available under NDA to all existing and prospective customers.

Cross Border Transfers

To ensure personal data transfers from the EU to third-party countries apply with the GDPR, 42Layers leverages the European Commission’s approved standard contractual clauses (SCCs) as its lawful transfer mechanism.

In accordance with the GDPR and official guidance, the 42Layers team reviews the adequacy of data protection in the third-party country and applies appropriate measures to ensure the personal data subject to the transfer still receives essentially equivalent protection.

Data Subject Rights

Data subject and consumer rights are a fundamental component of data protection and privacy laws. 42Layers has implemented internal policies and procedures for handling data subject requests it receives, including receipt, verification of identity, and implementation of request.

Data Protection Impact Assessments

The GDPR requires that controllers conduct data protection impact assessments (DPIA) before engaging in a processing activity that is likely to result in a high risk to the rights and freedoms of data subjects, such as where the activity involves the use of new technology or involves a very large amount of personal data.

42Layers maintains a DPIA based on relevant official EU-based guidance, which covers all of the mandatory elements.

Company Access Policies

Access to all infrastructure is controlled via 2 Factor Authentication with physical keys where possible. All deployments, including test infrastructure use the same encryption policies as production services. We maintain state-of-the-art Continuous Integration/Continuous Deployment infrastructure enabling fast development times for customer feature delivery and security updates. We also employ industry standard code analysis, vulnerability scanning and runtime monitoring.

Questions? Concerns?

We're always happy to help with any other questions you might have! Send us an email at [email protected]