Security & Compliance


About

Security and compliance are top priorities for intuo because they are fundamental to your experience with the product. intuo is committed to securing your application’s data, eliminating system vulnerabilities, and ensuring continuity of access.

intuo uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.

For general legal questions please email info@intuo.io

For questions regarding security, privacy and/or data protection please email philip@intuo.io

For general questions around intuo's offerings and services, including technical questions on how our services work, please email support@intuo.io

Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with an intuo product, please contact philip@intuo.io.

Include a proof of concept, a list of tools used (including versions), and the output of the tools. We take all disclosures very seriously. Once disclosures are received, we rapidly verify each vulnerability before taking the necessary steps to fix it. Once verified, we periodically send status updates as problems are fixed.

Compliance and Certification

GDPR

The European Union’s General Data Protection Regulation (GDPR) is an unprecedented privacy regulation in terms of its breadth, depth, and impact. The GDPR has taken effect on May 25, 2018, and we’re fully compliant. In addition to being compliant, we've conducted a thorough Data Protection Impact Assessment (DPIA) of all our external suppliers and vendors. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope.

A few of the major GDPR changes:

  • The GDPR gives EU residents the "right to be forgotten" by controllers and processors. If a data subject requests their data to be removed, controllers are responsible for securely deleting the data from their systems and ensuring processors delete data as well.
  • The GDPR outlines specific requirements for notifications in the event of a data breach. Organizations who experience a data breach must notify data protection authorities, and in certain cases, they must also notify the data subject.
  • The GDPR now extends to organizations who monitor the behavior of EU residents online. This includes e-mail tracking as well as tracking of user behavior on an organization’s website.
  • The GDPR centralizes the regulation of processing of EU resident data. All processing of personal data belonging to residents of the EU will be governed by the GDPR, regardless of the member state in which the data subject resides.

In an effort to exceed the requirements of GDPR and provide the same privacy benefits to all our users, intuo applies the standards of the regulation globally, instead of limiting its scope to Europe. All customer data (and all our marketing data) is treated in a way that conforms with GDPR.

You may submit a GDPR data request to intuo at any time via our self-service form, and we will respond within 48 hours.

intuo’s Data Processing Agreement (DPA) can be found here. Proof of our Data Protection Impact Assessment (DPIA) can be provided on request. Please read more about our work on legal matters here.

ISO 27001

Intuo have already undergone the necessary steps for an ISO27001 certification and is an ISO/IEC 27001:2013 certified organisation. Our public ISO27001 certificate can be found here.

Infrastructure and Network Security

Server Infrastructure

intuo’s products run on world­ class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Our data centers are located in Frankfurt, Germany and data never leaves Europe. Amazon data centers provide physical security 24/7, state­ of­ the­ art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB and Yelp. Amazon maintains security certifications with:

  • SOC 1 / ISAE 3402
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • CSM Levels 1­5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001

Customer data is stored in multi-tenant datastores. We do not have individual datastores for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.

Physical Access Control

According to the Amazon Web Services Compliance Documentation: AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

intuo employees do not have physical access to Amazon data centers, servers, network equipment, or storage.

Logical Access Control

intuo is the assigned administrator of the infrastructure on Amazon Web Services. Only designated authorized intuo employees who need access, get access. Production system access is limited to key members of the intuo engineering & ops team and use of passwords are expressly forbidden. We solely use public/private key pairs to authenticate with our servers that are behind a public/private key-pair authenticated virtual private network.

Penetration Testing

intuo undergoes black box penetration testing, conducted by an independent, third-party agency, on an annual basis. For black box testing, intuo provides the agency with a production platform and a high-level diagram of application architecture.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. intuo will provide a summary of penetration test findings upon request to Enterprise customers.

Logging

Logging is a critical component to Intuo infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in real­time and over secure channels to a centralized logging service. This also allows our technical support and development teams to view logs without gaining access to the production systems.

Monitoring

intuo uses a variety of monitoring strategies. We monitor the performance of our apps through New Relic and Skylight. Additionally, we have monitoring on an infrastructure level of disk space and memory usage. Alarms on all our servers are triggered for memory usage and disk space when reaching a threshold. This will notify our ops team. Downtime is not caused by one server going down as we serve the app on multiple servers behind a load balancer.

Business Continuity and Disaster Recovery

High Availability

Every part of the intuo service uses redundant servers (e.g., multiple web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

intuo keeps nightly encrypted backups of data in the Frankfurt region on Amazon Web Services. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

Disaster Recovery

In the event of a region-wide outage, intuo will bring up a duplicate environment in a different Amazon Web Services region. The intuo operations team has extensive experience performing full region migrations.

Data Flow

Data into System

Data can be sent into the intuo system by users taking specific actions (through the user interface) or by using the REST API.

Data through System

Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. All data is AES-256bit encrypted, both in transit and at rest. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.

intuo's latest SSL Labs Report can be found here.

Data out of System

Once data is sent and processed, it can then be accessed via intuo's user interface and REST APIs.

Data Security and Privacy

Data Encryption

All data in intuo servers is automatically encrypted at rest. Amazon Web Services stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the intuo data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

intuo exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application.

Data Retention

intuo retains user data for up to 5 years, or until termination of contract. If a user is inactive for 5 years, we automatically delete their data.

Data Removal

All customer data stored on intuo servers is eradicated upon a customer’s termination of service and deletion of account after a maximum of 30 days. Data is removed from backups as well within 7 days after the actual data removal. Data can also be deleted upon request.

Users have the ability to remove their individual via our GDPR form.

Application Security

Single Sign-On

intuo's single sign-on (SSO) implementation prioritizes security. SSO improves user experience by streamlining login and improving access from trusted domains. intuo currently offers SSO via the following:

REST API Authentication (API Key)

intuo's REST API uses an API key for authentication. Authentication tokens are passed using the auth header and are used to authenticate with the API.

Password Requirements

Intuo requires a "strong" password to be able to register with the platform. Strong means:

  • Minimum 8 characters
  • Mix of upper and lowercase characters
  • At least 1 digit
  • At least 1 special character (such as: !?-_@ ...)

You can find more information about our password requirements in our helpdesk article.

Email Security

Sender policy framework (SPF) is a system to prevent email address spoofing and minimize inbound spam. We have SPF records set through Route53, our domain name service (DNS), and domain-based message authentication, reporting, and conformance (DMARC) set up for monitoring reports to prevent the possibility of phishing scams.

Secure Application Development (Application Development Lifecycle)

intuo practices continuous integration (CI), which means all code changes are committed, reviewed, tested, shipped, and iterated on in a rapid sequence. Continuous integration, and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time to and the effective eradication of bugs and vulnerabilities.

Quality Assurance

After a feature has been built, the responsible developer opens a pull request (PR) for it. We use several standard tools and linters to improve both the code quality and the security of our product. Our code is normalized using ESLint, Rubocop and pronto. We use static code analysis scanners (such as Brakeman for Ruby on Rails) to look for vulnerabilities, including OWASP Top 10 vulnerabilities.

Once a pull request is made and above linters and tools pass, at least two people from the development team review the PR on code quality and functionality. We have a test suite running on a continuous integration server (CircleCI) that checks on regressions. We write rigorous unit tests and acceptance tests for all significant features and bugfixes.

Every quarter, our security team conducts an internal application pentest security audit. This involves running several manual tests on both our infrastructure and application. In these tests, we try exploiting our servers and applications by testing things such as data inconsistency, privilege escalation, XSS attacks, SQL injection etc. Once a year, we have an external party conducting a thorough penetration test and vulnerability scan on our complete infrastructure.

Corporate Security

Malware and Virus Protection

At intuo, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations run Avast Antivirus. We also enable and enforce full-disk encryption, screen lock, and other (non-digital) security features.

Security Policies

intuo maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to intuo Enterprise customers upon request:

  • Information Security
  • Data Classification
  • Business Continuity
  • Password Policy

Security Training

All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training. Major updates are communicated via email to all intuo employees.