Security at passbolt

Passbolt SA implements an Information Security Management System (ISMS) aligned with the industry standards. This document aims to give you an overview of how we approach security as a whole at passbolt.

Organizational Security

Information Security Program

We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Framework.

We define and regularly review our organization’s security objectives as well as associated risks and mitigations. Our policies and their associated procedures are designed to protect personal data. Third-Party Audits.

Our organization undergoes independent third-party assessments to test our security and compliance controls.

Third-Party Penetration Testing

We perform an independent third-party penetration test at least annually to assess the security posture of our services. You can read more about our latest test results on the dedicated incident pages.

We run a bug bounty program to recognise and reward the work of independent security researchers. We offer a clear and secure way to contact us to report a security vulnerability as well as a clear process defining how we respond to such a report, both of which are outlined on the help site and products' readme file.

Roles and Responsibilities

Roles and responsibilities related to our Information Security Program and the protection of personal and sensitive data are well defined and documented. Our team members are required to review and accept all of the security policies.

We have dedicated staff responsible to implement and manage our security procedures. Through the associated supporting systems they regularly monitor for suspicious activity. They organise dedicated workshops to train and evaluate other staff members' response to security incidents. Security Awareness Training

All of our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management. They also undergo one-on-one dedicated security training, which covers the specific security requirements needed on the basis of their role. We educate and encourage collaborators to raise awareness, draft proposals in order to improve and innovate in the field of security and privacy.

Confidentiality

All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.

Background Checks

Each employee or contractor undergoes a background check and is requested to disclose any criminal record, previous employer details and education diploma, if any.

Product security

Development best practice

All the code produced for the core products and associated services must adhere to the OWASP guidelines and recommendation, to prevent common security issues such as cross site scripting (XSS) or SQL injections.

Change management

Every code change is signed, tracked in a versioning system and covered by a change management policy, which requires code review by a maintainer. Similarly publishing rights is reserved to a small list of maintainers.

Security whitepaper

We publish and maintain a security white paper for the product distributed to our customers, to help them evaluate the residual risks as per their threat model.

Cloud Security

Cloud Infrastructure Security

Our cloud services are hosted in Europe with Google Cloud Platform (GCP). They employ a robust security program with multiple certifications including ISO 27001, ISO 27017, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, PCI DSS. (Ref.).

Our site reliability team uses an extensive set of systems in order to provide security in depth. All the components of our infrastructure are designed to be redundant with multiple layers of failover. All our development, test or production environments are segmented on several isolated networks and where applicable different projects. Default passwords are removed and all non necessary services are removed or disabled. All our infrastructure is automated and defined as code. We have hardened, consistent, tested, reproducible builds for our all servers. Server secrets and credentials are encrypted using keys stored in a secure storage service and can be rotated on demand.

We use several layers of firewalls, including a web application firewall (WAF) to detect and restrict suspicious or undesirable traffics, as well as regular firewalls to further restrict access.

Data Hosting Security

All of our data is hosted on Google Cloud Platform (GCP) databases. These databases are all located in the Europe. For the cloud product, each of the customers workspace data is logically separated in individual databases.

We hold the data for as long as a customer chooses to use the service. Once they terminate their Passbolt cloud account the data are automatically deleted from our backups within 6 weeks.

Encryption at Rest

All the cloud data, including the backups, is encrypted at rest using 256-bit Advanced Encryption Standard (AES) with keys stored in a secure storage system.

Encryption in Transit

All customer data transmitted to our servers is protected using strong encryption protocols such as TLS. We ensure encryption of communication not only between the customer and our servers but also internally between all parts of our systems. We maintain and review using automated tools a list of acceptable TLS encryption algorithms.

Vulnerability Scanning

We perform vulnerability scanning and actively monitor for new threats. We use static code analyser tools and software dependencies scanners to detect issues and vulnerabilities.

Logging and Monitoring

We actively monitor and log various cloud services. We use an intrusion detection system (IDS) to detect and notify in case of unauthorised access to servers. We regularly review alerts from these systems as well as application logs monitor abnormal or suspicious activities.

Business Continuity and Disaster Recovery

We use redundant monitoring tools with real time notifications to alert the team in the event of any failures affecting users, to notify downtime, performance issues and abnormal activities. We rely on trustworthy security service providers to prevent DDoS attacks on our servers.

We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. Additionally we run incremental backups everyday. All backups are scheduled, encrypted, tracked and tested regularly. We regularly perform disaster recovery tests with unique scenarios.

We also recommend our customers to schedule regular backups of their data using export features.

Incident Response

We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication. The users can check service availability through a dedicated status page. The users can check for incident response on dedicated incident pages.

Access Security

Permissions and Authentication

Where available we have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies to ensure access to cloud services are protected.

Access to cloud infrastructure and other sensitive tools are limited to authorized employees who require it for their role. Access to test, staging and production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Only a minimal number of individuals have access to the production environments.

For email, Our DMARC policy uses SPF and DKIM to verify that messages are authentic.

Least Privilege Access Control

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to reduce the risk of data exposure.

Quarterly Access Reviews

We perform quarterly access reviews of all team members with access to sensitive systems.

Endpoint Security

We require every employee's workstations and mobile devices to be selected from a short list of respectable and officially supported devices and operating systems. They must be set up to be automatically kept up to date and with data encryption at rest. Workstation must have an up to date firewall and anti-virus software installed. Employees' workstations must be set to automatically lock when they are idle. Mobile devices used for business purposes are individually reviewed to ensure they meet our security standards.

Password Requirements

All employees must use a password manager and use it to generate strong unique passwords. They must have a strong master passphrase. Employees are provided with a physical security token to be used for second factor authentication.

Password Managers

All company members use our flagship product, passbolt, a password manager for team members to manage passwords and maintain password complexity.

Physical Security

Access to building and facilities are controlled and limited via the use of access cards. Dedicated staff is available at the reception to orient and control access of visitors during work hours. Access is monitored using CCTV cameras. Each collaborator is provided with an access card to access the office space. Each visitor of the office space must be accompanied by an employee at all times.

Further sensitive documentation, such as employee files are stored in secure storage space requiring a separate set of keys and only provided to selected C-level executives.

Vendor and Risk Management

Annual Risk Assessments

We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud. We do background checks and a risk assessment of our consultants and service providers as part of our procurement processes.

Vendor Risk Management

Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor. Where applicable we request them to agree to our General Terms and Conditions of Purchase and Contracting, or alternatively make sure that their general terms and conditions / our contract with them, enforce them to maintain the highest possible level of confidentiality and privacy when it comes to sensitive and personal data protection.

We make sure all of our service providers that have access to personal data are certified according to industry security standards and compliance instruments such as ISO27001, PCI-DSS, SOC 2 that enforce strict procedures for both physical and digital security.

As part of our Data Protection Agreement we maintain the list of approved data processors with the processors activities, type of personal data, location, implemented safeguards and data transfer mechanism.

Last udpated: the 7th of May 2021.