We take our security responsibility seriously and the following details our approach and processes to ensure your data is secured.
At a high level, we implement a combination of preventative and detective measures in conjunction with our process, controls and tools that mitigate risks.
Curio hosts all customer-facing web applications and supporting infrastructure on Amazon Web Services (AWS). AWS infrastructure is highly stable, fault-tolerant, and secure. AWS publishes an insightful security white-paper that describes how AWS implemented physical security and environmental protection mechanisms to protect AWS data centres throughout the world.
Curio relies on AWS’ ability to design and operate these critical mechanisms and controls to protect physical access to data and availability of Curio’s services. AWS data centres utilise state-of-the-art electronic surveillance and multi-factor access control systems. Data centres are staffed 24x7 by trained security guards and access is authorised strictly on a least privileged basis. Environmental systems are designed to minimise the impact of disruptions to operations.
All Palette servers including application and database are isolated from the public internet within private subnets within AWS. Operating system, server software and database software is continuously patched and monitored for updates and security fixes by AWS.
All system logging is done using AWS CloudTrail. We use AWS GuardDuty to monitor VPC flow logs and for threat detection and continuous monitoring. No sensitive information / PII is logged.
The AWS cloud infrastructure provides extensive network and security monitoring systems to protect the production environment and its data. These systems protect against:
· Man In the Middle (MITM) Attacks: All AWS APIs are available via SSL- protected endpoints that provide server authentication using signed SSL certificates.
· Port Scanning: When port scanning is detected, it is logged and investigated.
· Virtual Private Cloud: Curio utilises VPCs in order to further segment, protect, and isolate network traffic.
· Intrusion Prevention: Curio uses AWS Guard Duty to alert and inform on security incidents occurring against Curio’s services hosted in AWS.
Maintaining data, application and infrastructure security is an ongoing process for our team. Our engineering and development processes incorporate secure coding practices and security testing. All code in the Palette application must go through a developer peer review process before it is merged into the code base repository. This code review includes security auditing based on the Open Web Application Security Project (OWASP) secure coding and code review documents and other community sources on best security practices.
Peer reviews of all source code changes are mandatory and conducted for each change to the code base to detect and correct any bugs, security flaws, and any other code defects. Changes to code must be validated by peer review before the code is approved and committed to the code base repository.
Our engineering team also utilise automated tools, that detect vulnerabilities in the code base or third party packages that the code may use.
Transport Layer Security (TLS) issued for all data in transit from browsers to Palette servers.
Data is encrypted at rest using AWSKMS and AES-256 encryption.
All data access in Palette is handled via our APIs and this includes any sensitive data that might be captured in Palette. Palette APIs are secured and encrypted with TLS and endpoints can only be access using the HTTPS protocol. SSL protects data from ‘Man In The Middle’ attacks.
API endpoints that contain administrative or sensitive elements are only accessible to authorised users. These endpoints are secured by OAuth2. Users authenticate using a client id and secret which is exchanged for an access token, that is used to access the API.