Security Policy


Reporting a security issue to Fluxiom

Fluxiom engineers continuously monitor our network for indications of security vulnerabilities that may put customer data at risk. Should you have any reason to believe that an issue has gone undetected, we encourage you to report it immediately. This page presents the best way to report such problems to us and introduces our response protocol.

Please contact us via email to security@fluxiom.com.

Infrastructure

Fluxiom is a hosted Webservice. Fluxiom infrastructure has been built with disaster recovery in mind.

Data

All customer data is stored in Vienna, Austria.

Our state-of-the-art servers are protected by magnet card lockers and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides extra protection against unauthorized entry and security breaches.

Customer data is stored in multi-tenant data stores, we do not have individual data stores for each customer. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated. No code will be shipped to production if a test fails.

Data protection strategy

We perform continuous database and storage backups including daily offsite backups. Daily Database and offsite backups with a retention of 90 days.

Incident management and disaster recovery

We practice regular recovery drills. We perform hourly backups of all databases and flies are backed up automatically after they are uploaded to Fluxiom. Our backups are tested on a regular basis and are stored of-site for a maximum of one year. We have procedures in place for responding to various incidents.

See Response procedure, Incident response plan

Data Transfer

The communication with the Application and the Website is HTTPS encoded. All data sent to or from Fluxiom is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on SSL Labs’ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

There are no corporate resources or additional privileges from being on Fluxiom’s network. We have two-factor authentication (2FA) and strong password policies for used cloud services. See Data.

All data is written to multiple disks instantly, backed up daily, and stored in multiple locations. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is updated regularly with the latest security patches.

Permissions and Admin Controls

Fluxiom enables permission levels to be set for any employees with access to Fluxiom. Permission and Access control is set for sensitive parts of the application like Backend, Server, User data and App settings, Billing, finance and Support details in the app.

Control measures

Control measures are steps or mechanisms that can reduce or eliminate various threats for the Service and help to monitor health and performance of the Service. For the Fluxiom application we perform periodic availability-, health-, performance- and backup-checks: 24/7 availability checks of the Service from different locations around the world (every 1 to 5 minutes).\ Real-time crash logs: Errors that occur when using the Service will be logged. This ensures to detect unwanted events early. Automatic database health checks.

Build Process Automation

We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application within minutes. We have high confidence that we can get a security fix out quickly when required.

Incident Response

Fluxiom will promptly notify you in writing upon verification of a security breach of the Fluxiom services that affects your data. Notification will describe the breach and the status of Fluxiom’s investigation.

Disaster recovery

Disaster recovery involves a set of policies and procedures to enable the recovery of the Service following a natural or human-induced disaster. In case of a human-induced data loss, we can restore the Application and Database from the latest available backup (depending on backup retention period) in a timely manner.

Application Monitoring 

All access to Fluxiom applications is logged and audited.

Application Evaluation

Automatic Unit & Integration Tests, CI continuous integration for the Application in terms of Security. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated. No code will be shipped to production if a test fails.

We have a whitehats list.

Service Levels

We have uptime of 99.9% or higher.

Security Audits

We use tools such as mmonit to monitor access to our infrastructure and provide real time access alerts. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.

We also have alerts in place for excessive resource use that escalates to our Ops team for manual investigation. Our products run on a dedicated network secured with firewalls and carefully monitored.

GDPR compliance

We are GDPR compliant by the 25th May 2018.

PCI Obligations

Fluxiom is not subject to PCI obligations. All payment instrument processing is outsourced to Stripe.

Our Third Parties list

Fluxiom engages certain onward sub processors that may process personal data submitted to Fluxiom’s services. These sub processors are listed below, as may be updated by Fluxiom from time to time:

  • Stripe
  • Sentry
  • Intercom
  • Postmark
  • Pusher
  • Google Analytics
  • Twitter
  • Campaign Monitor

Contacting Fluxiom

We invite users experiencing general issues with Fluxiom to contact our support department. If the problem you wish to report has a bearing on platform integrity, you can also reach our security team at security@fluxiom.com. Alternatively, you can telephone +1 650-284-7142 to record a voicemail message.

When reporting a security issue, please be as thorough as possible. Describe the steps you are taking, the results you are getting and the results you were expecting to get. Also, please provide us with detailed configuration information so that we can reproduce your testing environment as accurately as possible.

Note that you are not required to provide us with personal information. However, doing so will allow us to contact you back, keep you updated on our progress and give you credit for your contributions. You are therefore strongly encouraged to provide us with at least a name or pseudonym and an email address.

Full disclosure in case of an Data breach

We value the trust relationship we entertain with our clients above all. Should we have any reason to believe that a particular account has been compromised, we will liaise with its owners promptly. We will provide them with detailed information regarding the issue as we understand it, including its cause, duration, and impact. This rule knows no exception. If a breach were to affect an unknown number of accounts, or all of the accounts we host as a whole, we would additionally post information on our web site, blog or newsletter, depending on the nature and impact of the issue.

Responsible disclosure

While Fluxiom does not condone any cracking attempts, we will not prosecute users who report security issues to us and provide us with the information and time necessary to fix the issue before bringing it to the public’s attention — a practice known as responsible disclosure. 

This procedure is only valid as long as there is no violation against any user data/account. If there is a security issue that affects user data, the user will get informed (see full disclosure).

Users who opt to disclose security issues to us in a responsible manner will be kept posted about the progress of our analysis and given due credit once the vulnerability is fixed.

As a general rule, Fluxiom welcomes all feedback from its users and the Internet community at large. This includes members of the security community who wish to share feedback or information with us.

Response procedure

Upon contacting us through our security reporting channels, you can expect to hear back within 48 business hours. Please note that we reply to each and every legitimate submission. If you have not received a reply from us within 48 business hours, feel free to re-submit the ticket or telephone us to ask for a status update.

Once a submission is acknowledged and received, it will be escalated to our engineers who will analyze the nature of the issue as it relates to the Fluxiom platform. If necessary, emergency patches will be published to the platform while the analysis continues in order to minimize the window of exposure.

We will keep submitters updated throughout the process and let them know once the final fix has been published. The resolution of security issues takes precedence over the development of new features or the improvement of existing ones, and we will always strive to publish updates as promptly as possible.

Every security update brought to our platform triggers a full quality assurance review, to audit and improve both our code and our testing procedures.

Whitehats

Special thanks go out to the following researchers, who have helped protect our users in the past.

Questions

If you have any further questions, please do not hesitate to contact us.

This policy was last modified on April 18th, 2018.