Physical security
Locations
Our data centres are located in the outskirts of Dublin, Ireland and Frankfurt, Germany. In each location services are spread across several facilities (availability zones), for maximum redundancy. We also run globally distributed edge-locations (a CDN) for quicker loading of the website and client code.
Facilities
Our servers are hosted in data centres certified under ISO 27001, IT Grundschutz and SOC 3. Our data centre provider AWS run sophisticated facilities with redundant power, backup generators and multiple internet connections to keep things running non-stop.
Site security
The facilities are manned around-the-clock, with guards, cameras and other perimiter security protecting each site. Access is strict and monitored, with only authorised personnel having access.
Network security
Encryption
Data sent to and from Skovik is encrypted, using 128-bit encryption. Application endpoints are HTTPS-only. We use modern crypto-configuration such as Perfect Forward Secrecy, Strict Transport Security, OCSP stapling and strong cypher suites.
Architecture
Our production network is separate from our corporate network. Within the production network services are logically separated with access-control lists regulating inter-service communication. For machine-access, we have a dedicated control plane. Bastion hosts are used to provide an additional layer of access security. Firewalls protect all systems, and only web-servers are internet-addressable.
Network vulnerability scanning
We regularly perform automated network vulnerability scanning to identify out-of-compliance or vulnerable systems.
Limited access
Access to the Skovik production network is very limited, granted only on a least privilege, need-to-know basis. Access is logged and monitored by our operations team. Multiple factors of authentication are required.
Durability & availability
Durability
All customer data is replicated across two data centres, with an average replication delay under 5 seconds. In addition, snapshots are taken every hour and stored in a safe archive. As a result, there are always three instances of all customer data.
Uptime
Skovik maintains a publicly available system status page, with current availability, historical uptime metrics, information about scheduled maintenance and incident history.
View the status page
Failover & redundancy
Our systems are architected to withstand the failure of individual components. Individual nodes are health-checked several times per minute and automatically taken out of the rotation if a failure occurs, allowing other nodes to step in and pick up the task.
Disaster recovery
In the case of complete unavailability of our primary data centre, we have a secondary site on stand-by, where we can resume operations.
DDoS protection
We have a DDoS-mitigation layer filtering inbound traffic, using a combination of traffic signatures and anomaly algorithms to detect and deflect malicious traffic.
Application security
Credential storage
Skovik stores passwords and other credentials using industry best-practices. Passwords are one-way encrypted (hashed and salted) using bcrypt.
Email security
We use DKIM, SPF and DMARC to secure emails sent by Skovik. Further, our emails are sent with Transport Layer Security (TLS) to encrypt emails in transit to the receiving email server.
Client security
Modern browser technology, such as Content Security Policy and Strict Transport Security, is used to lock down the client runtime from attacks.
Payment processing
Card payments are processed by our payments partner. They are certified under PCI DSS Level 1, a stringent standard administered by the Payment Card Industry Security Standards Council. Sensitive payment data (such as credit card numbers) are never stored on, or transmitted through, Skovik servers.
Logging
We log activity across the Skovik services. Logs are aggregated and stored in a central repository, for monitoring and analysis.
Secure development
Security training
Engineers participate in annual security training. The training cover common security flaws, common attack vectors and our internal security controls.
Static code analysis
We continuously run source-code analysis, matching code and dependencies against a database of known vulnerabilities.
Code review
All code is reviewed by a second pair of eyes, where security is one of the evaluation points. Components related to authentication, sessions and authorization are given extra scrutiny.
Application vulnerability scanning
We use third-party security tools to regularly scan our application for vulnerabilities at the application level.
Separate environments
Development, testing and staging environments are entirely separate from the production environment, sharing nothing but the code itself.
Product security features
Single sign-on (SSO)
Single sign-on (SSO) allows employees to log in to Skovik using their ordinary work credentials. Also, SSO makes it easy for companies to customise their password policy (requiring a second factor, setting a minimum password length and similar). The protocol is OpenID-Connect, which is also used by Microsoft, Google, Salesforce, Okta and others.
Access roles
Skovik has role-based authorization, for granular assignment of access privileges to users in the system.