Security
Your data is safe and available
At Valpeo, we strive to help businesses work smarter. But that would be impossible without making our software a safe and trustworthy place to store data. That's why data security is an absolute priority to us. For the sake of transparency, here's a list of measures we take to keep your data safe and available 24-7.
1. Availability
Will Valpeo be available all the time?
Valpeo strives to maintain an uptime of 99.9%, and we use several services to monitor uptime and site availability. In case of downtime or emergency, our team receives real-time notifications, allowing us to act swiftly.
What if something isn't working?
In the rare case that issues do arise, we'll keep do everything within our power to resolve the issue as soon as we can.
2. Security measures
Encrypting data in transit.
All traffic to Valpeo passes through an SSL-encrypted connection, and we only accept traffic through port 443.
During a first website visit, Valpeo sends a Strict Transport Security Header (HSTS) to the user agent, ensuring that all future requests will be made via HTTPS. Even if a link to Valpeo is specified as HTTP.
Encrypting data at rest.
All data stored on Valpeo's systems is encrypted at rest. Information stored in our database systems or on our file systems is encrypted using the industry standard AES-256 encryption algorithm. AWS stores and manages data cryptography keys in its redundant and globally distributed Key Management Service.
This means that even if an intruder were ever able to access any of the physical storage devices, the data contained therein would still be impossible to decrypt without the keys, rendering the information useless.
AWS security practices
Valpeo uses Amazon Web Services (AWS) to store user data. These servers undergo recurring assessment to ensure compliance with the latest industry standards, and continually manages risk. By using AWS as our data center, our infrastructure is accredited by:
Password policy and storage
To access Valpeo, you need to provide a strong password of at least 6 characters. We do not store these user passwords in plain text, we only store one-way encrypted password hashes using open source audited Bcrypt, including a per-user-random-salt. This protects users against rainbow table attacks and encrypted password matching.
If users enter incorrect passwords multiple times in a row, the account will be temporarily locked to prevent brute-force attacks. To protect account access further, users can activate Two-Factor Authentication using Google Authenticator or Authy through the user account security settings.
Request throttling and tracking
We block requests originating from known, vulnerable IP addresses or ranges.
Requests that originate from the same IP are throttled and rate-limited to avoid potential misuse.
XSS and CSRF Protection
To block Cross-Site Scripting Attacks (XSS), all output is escaped by default in our back-end application before hitting the browser potentially causing XSS attacks. We avoid using returning raw data, as this could potentially cause unwanted data to be sent to the browser.
Our application blocks requests that do not originate from our own domain(s), to help reduce the risk of Cross Site Request Forgery (CSRF) attacks; For important actions, we also use CSRF-tokens.
Lastly, we've implemented the Content Security Policy (CSP) HTTP header, which whitelists which assets (javascripts, images, stylesheets, etc.) the user's browser should allow to load and execute. A correctly implemented CSP header eliminates any malicious javascript (XSS attacks), crafted files disguised as images, and similar attacks based on the browser's trust of the assets served.
Organisation
Our team uses strong, unique passwords for Valpeo accounts and has set up Two-Factor Authentication for each device and service they use. All Valpeo employees are encouraged to use password manager software (LastPass, 1Password, …) to generate and store strong passwords.
We also make sure to encrypt local hard drives and enable automatic screen locking. All access to application admin functionalities is restricted to a select group of people.
3. Quality assurance
Code review
We introduced strict code reviews for any change to our code base, to ensure development best practices are used across all our code pushes.
Vulnerability disclosure
Since the launch of Valpeo, we've invited everyone to notify us of issues they find in our application, to continuously make our platform more secure and reliable. All vulnerability report submissions are read, handled and responded to in the shortest possible time frame.
At Valpeo, we strive to help businesses work smarter. But that would be impossible without making our software a safe and trustworthy place to store data. That's why data security is an absolute priority to us. For the sake of transparency, here's a list of measures we take to keep your data safe and available 24-7.
1. Availability
Will Valpeo be available all the time?
Valpeo strives to maintain an uptime of 99.9%, and we use several services to monitor uptime and site availability. In case of downtime or emergency, our team receives real-time notifications, allowing us to act swiftly.
What if something isn't working?
In the rare case that issues do arise, we'll keep do everything within our power to resolve the issue as soon as we can.
2. Security measures
Encrypting data in transit.
All traffic to Valpeo passes through an SSL-encrypted connection, and we only accept traffic through port 443.
During a first website visit, Valpeo sends a Strict Transport Security Header (HSTS) to the user agent, ensuring that all future requests will be made via HTTPS. Even if a link to Valpeo is specified as HTTP.
Encrypting data at rest.
All data stored on Valpeo's systems is encrypted at rest. Information stored in our database systems or on our file systems is encrypted using the industry standard AES-256 encryption algorithm. AWS stores and manages data cryptography keys in its redundant and globally distributed Key Management Service.
This means that even if an intruder were ever able to access any of the physical storage devices, the data contained therein would still be impossible to decrypt without the keys, rendering the information useless.
AWS security practices
Valpeo uses Amazon Web Services (AWS) to store user data. These servers undergo recurring assessment to ensure compliance with the latest industry standards, and continually manages risk. By using AWS as our data center, our infrastructure is accredited by:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- C5 Operational Security
- ENS High
- IT-Grundschutz
Password policy and storage
To access Valpeo, you need to provide a strong password of at least 6 characters. We do not store these user passwords in plain text, we only store one-way encrypted password hashes using open source audited Bcrypt, including a per-user-random-salt. This protects users against rainbow table attacks and encrypted password matching.
If users enter incorrect passwords multiple times in a row, the account will be temporarily locked to prevent brute-force attacks. To protect account access further, users can activate Two-Factor Authentication using Google Authenticator or Authy through the user account security settings.
Request throttling and tracking
We block requests originating from known, vulnerable IP addresses or ranges.
Requests that originate from the same IP are throttled and rate-limited to avoid potential misuse.
XSS and CSRF Protection
To block Cross-Site Scripting Attacks (XSS), all output is escaped by default in our back-end application before hitting the browser potentially causing XSS attacks. We avoid using returning raw data, as this could potentially cause unwanted data to be sent to the browser.
Our application blocks requests that do not originate from our own domain(s), to help reduce the risk of Cross Site Request Forgery (CSRF) attacks; For important actions, we also use CSRF-tokens.
Lastly, we've implemented the Content Security Policy (CSP) HTTP header, which whitelists which assets (javascripts, images, stylesheets, etc.) the user's browser should allow to load and execute. A correctly implemented CSP header eliminates any malicious javascript (XSS attacks), crafted files disguised as images, and similar attacks based on the browser's trust of the assets served.
Organisation
Our team uses strong, unique passwords for Valpeo accounts and has set up Two-Factor Authentication for each device and service they use. All Valpeo employees are encouraged to use password manager software (LastPass, 1Password, …) to generate and store strong passwords.
We also make sure to encrypt local hard drives and enable automatic screen locking. All access to application admin functionalities is restricted to a select group of people.
3. Quality assurance
Code review
We introduced strict code reviews for any change to our code base, to ensure development best practices are used across all our code pushes.
Vulnerability disclosure
Since the launch of Valpeo, we've invited everyone to notify us of issues they find in our application, to continuously make our platform more secure and reliable. All vulnerability report submissions are read, handled and responded to in the shortest possible time frame.
We use cookies to provide the best site experience.
Read more about the use of cookies in our Cookie Policy.
Read more about the use of cookies in our Cookie Policy.
Ok, don't show again
