Security report
Prepared on 2024-07-27
This report covers aspects of user identity, authentication, and access control (the "System") provided by Userfront for Demo Workspace.
The following sections list and discuss the settings that the System uses to process and store data. These sections also provide detailed information about the System's security, availability, and privacy settings.
Encryption at Rest
All user information is encrypted at rest.
All Personally Identifiable Information (PII) is encrypted at rest.
| Attribute | Status |
|---|---|
| Name | Encrypted at rest |
| Username | Encrypted at rest |
| Encrypted at rest | |
| Phone number | Encrypted at rest |
| All other user data | Encrypted at rest |
Encryption Method
The System uses the industry standard AES-256 algorithm to encrypt all underlying storage for database instances, automated backups, and read replicas.
| Attribute | Status |
|---|---|
| Encryption at rest algorithm | AES-256 |
User Data Protection
The System allows for removal of user information upon request.
The System uses a data classification policy to determine how different types of data are handled. All user data is classified at the highest level of restriction.
There is a data protection policy and a defined process for responsible disclosure.
| Attribute | Status |
|---|---|
| Removal of user data upon request | Active |
| Data classification policy | Active |
| Data protection policy | Active |
| Process for responsible disclosure | Active |
Backup & Replication
The System performs daily backups of all database information and stores these encrypted backups across multiple redundant regions.
The System further provides active redundancy, with live database replication across multiple regions.
| Attribute | Status |
|---|---|
| Backup cadence | Daily |
| Backup replication | Multi-region |
| Active replication | Multi-region |
| Encryption at rest | Active |
| Encryption at rest algorithm | AES-256 |
Database Monitoring
The System is configured to automatically and continuously monitor database CPU utilization, database read I/O, and database free storage space. Each monitoring category includes real-time alerting and visualization along with historical data and metrics.
The System utilizes a data retention policy to determine when data should be retained and how it should be disposed of, when appropriate.
| Attribute | Status |
|---|---|
| Database CPU monitoring | Active |
| Database read I/O monitoring | Active |
| Database free storage space monitoring | Active |
| Data retention policy | Active |
Password Rules
The System enforces password requirements that meet or exceed NIST Password Guidelines.
Passwords must be at least 16 characters long, or at least 8 characters long including a letter and a number.
Passwords cannot exceed 512 characters in length.
| Attribute | Status |
|---|---|
| Minimum password length if letter and number are included | 8 characters |
| Minimum password length without character requirements | 16 characters |
| Maximum password length | 512 characters |
Password Handling
The System does not store passwords in plain text. Passwords are stored as hashes and are encrypted at rest.
Passwords are not written to system logs.
The System uses the Bcrypt hashing function to generate password hashes, with a unique salt for each password.
The System limits the rate of password attempts at multiple levels, including per IP address, per user, and at the system-wide level.
| Attribute | Status |
|---|---|
| Password hashing function | Bcrypt |
| Password hashing cipher | Blowfish |
| Password salting | Unique per password |
| Key stretching | Included |
| Brute force attack resistance | Active |
| Preimage attack resistance | Active |
| Timing attack resistance | Active |
| Rainbow table attack resistance | Active |
| Log filtering | Active |
| Password hash encryption at rest | Active |
Password Resets
The System provides secure, single-use, time-expiring password reset credentials when requested by a user.
| Attribute | Status |
|---|---|
| Password resets | Active |
| Reset link expiration | 15 minutes |
| Reset link usage | Single use |
Token Signing
The System uses JWT access tokens signed with the RSA 256 algorithm, an asymmetric public key algorithm.
Token signing for the System exceeds the latest Commercial National Security Algorithm (CNSA) specifications for commercial cryptography, approved by the NSA to protect National Security Systems (NSS) up to the TOP SECRET level.
| Attribute | Status |
|---|---|
| Access token format | JSON Web Token (JWT) |
| Access token expiration | 7 days |
| Token signing algorithm | RSA 256 |
| Modulus size | 4096-bit |
| Token signing type | Asymmetric / public key cryptography |
Private Key Security
The System encrypts all private signing keys at rest, such that theft of the database would not expose private signing key information.
Private signing keys are further encrypted using column-level encryption. This means that an active database connection also does not expose private signing key information.
| Attribute | Status |
|---|---|
| Private signing keys encrypted at rest | Active |
| Private signing keys encrypted at column level | Active |
| Private signing keys not accessible over network connection | Active |
Token Refresh
The System uses refresh tokens in conjunction with access tokens. Refresh tokens allow for shorter-lived access tokens, which improves security.
| Attribute | Status |
|---|---|
| Refresh token expiration | 30 days |
JWT Access Token Storage
When logged into this application via a web browser, a user's JWT access token is stored as a cookie.
This cookie is only sent with encrypted requests (HTTPS) to this application's originating website.
| Attribute | Status |
|---|---|
| Secure | true |
| SameSite | Lax |
| HttpOnly | false |
| Expires / Max-Age | 7 days |
Refresh Token Storage
When logged into this application via a web browser, a user's refresh token is stored as a cookie.
This cookie is only sent with encrypted requests (HTTPS) to this application's originating website.
| Attribute | Status |
|---|---|
| Secure | true |
| SameSite | Strict |
| HttpOnly | false |
| Expires / Max-Age | 30 days |
Network Accessibility
The System requires SSL connections made with the https:// protocol.
The System limits the number of requests that can be made per user, per IP address, per tenant, and combinations of these. This is done to prevent automated probing of the System by malicious third parties, and to improve the overall quality of the System.
Public SSH into the System is not accepted.
The System database is logically isolated from the internet. This means that the database is not reachable for external requests.
| Attribute | Status |
|---|---|
| Forced SSL | Active |
| Rate limiting | Active |
| Public SSH denied | Active |
| Database logical isolation | Active |
Network Configuration
The System uses load balancing with network filtering in order to improve quality and security of incoming network requests.
The System's application instances and database instances are hosted on a virtual private network. This prevents direct access from external requests, providing an additional layer of security based on logical isolation.
| Attribute | Status |
|---|---|
| Load balancers used | Yes |
| Load balancer network filtering | Active |
| Application instances on private network | Yes |
| Database instances on private network | Yes |
Platform Monitoring
The System monitors network traffic for both performance and intrusion detection.
All application instances and load balancers are also monitored to detect anomalies in usage and to proactively search for security threats.
| Attribute | Status |
|---|---|
| Network intrusion detection | Active |
| Network I/O monitoring | Active |
| Instance CPU monitoring | Active |
| Load balancer monitoring | Active |
Database Monitoring
The System monitors all database instances along a variety of metrics, including CPU utilization, read I/O, and free storage space.
| Attribute | Status |
|---|---|
| Database CPU monitoring | Active |
| Database read I/O monitoring | Active |
| Database free storage space monitoring | Active |
Log Monitoring
The System logs all requests related to authentication and access control, and these logs are reviewed both automatically and manually. Logs are additionally backed up and retained for future use as needed.
All logs are filtered and do not contain sensitive information like user passwords or application secrets.
| Attribute | Status |
|---|---|
| Log retention | Active |
| Log monitoring | Active |
| Log filtering | Active |
SOC 2
This application uses Userfront for authentication and access control. Userfront is SOC 2 certified and was last audited by Ernst & Young on December 31, 2023.
SOC 2 controls are further continuously monitored by Drata, with daily reporting on the status of all controls.
| Attribute | Status |
|---|---|
| SOC 2 certification | Active |
| SOC 2 monitoring | Active |
| SOC 2 auditor | Ernst & Young |
| SOC 2 monitor | Drata |
| SOC 2 scope | Security, Availability, Confidentiality |
| SOC 2 audit date | December 31, 2023 |
Automated Testing
The System utilizes a Test-Driven Development process for all code deploys. This means that an automated test suite verifies the proper behavior of all endpoints any time the underlying production codebase is changed.
The System also monitors the production API with a 5 minute cadence, which allows for early detection and alerting for any problems that may arise.
| Attribute | Status |
|---|---|
| Automated test suite | Active |
| Automated test count | > 1,000 |
| Automated endpoint monitoring | Active |
| Endpoint monitoring cadence | 5 minutes |
Penetration Test
The System undergoes regular penetration testing by third parties, and any potential security issues or suggestions are addressed in a timely fashion.
The most recent penetration test was performed in January 2024.
| Attribute | Status |
|---|---|
| Regular penetration testing | Active |
| Latest penetration test | January 2024 |
| Performed by | External 3rd party |
| Critical vulnerabilities discovered | 0 |
| High severity vulnerabilities discovered | 0 |
Vulnerability Scan
The System undergoes regular automated vulnerability scans performed by third parties, and any potential security issues or suggestions are addressed in a timely fashion.
The most recent vulnerability scan was performed in April 2024.
| Attribute | Status |
|---|---|
| Regular vulnerability scans | Active |
| Latest vulnerability scan | April 2024 |
| Performed by | External 3rd party |
| Critical vulnerabilities discovered | 0 |
| High severity vulnerabilities discovered | 0 |