Data at rest
All databases use a so-called "at rest" encryption. This means that data can only be read if proper authentication takes place on the respective database system. The ﬁles in which the data is stored are stored in encrypted form so that they can only be read by database systems that have the appropriate decryption key. Userlane strives to keep its systems up to date with the newest and most secure encryption algorithms. The standard algorithm for encrypting data at rest is currently AES256. Encryption keys are securely managed by Microsoft Azure using Key Vault.
Data in transit
Userlane applies transport encryption whenever data has to be transmitted over an insecure or public network (e.g. outside the virtual private cloud). The type of transport encryption depends on the encryption requested by the client system. Userlane uses HTTPS connections with 256-bit SSL certiﬁcates and TLS version 1.2 or newer for all communications with clients. This ensures that data is protected against interception or modiﬁcation.
Selection of encryption algorithms
Userlane follows the NIST standards for selecting strong encryption algorithms and approving built-in encryption used by a Userlane subprocessor.
Read the NIST SP 800-175B guidelines
Segregation of trafﬁc in multi-tenant environment
Userlane’s Cloud systems implement multi-tenancy in a shared cluster. Multiple customers are served from a single cluster. Tenant separation is enforced on a logical level, not on a physical level. Userlane ensures strict tenant separation through the following measures:
Input sanitization and pre-built queries
Use of frameworks
Extensive manual and automated testing
Penetration testing (see below)
Userlane works with Azure Network Security Groups to ensure that services running within the Azure environment are accessible only to the networks that need it. Access to network ports of various services is restricted to the extent that access is only possible through services that need access.
Userlane works with recognized security experts and researchers. Together we aim for the highest possible security of our systems.
We perform penetration tests on a yearly basis. Our contractor Cobalt maintains a core of 200+ highly vetted, certiﬁed security researchers.
Upon performing each penetration test, Cobalt provides Userlane with a report containing the list of detected vulnerabilities along with recommended ﬁxes. Userlane commits to implement ﬁxes depending on the severity of the vulnerability. The timeline for such ﬁxes is set as follows:
Critical vulnerabilities: Fix immediately
High vulnerabilities: Fix within 30 days
Medium vulnerabilities: Fix within 60 days
Once a ﬁx is implemented, the vulnerability is re-tested. The cycle is repeated until all vulnerabilities are conﬁrmed to be ﬁxed.
Userlane uses various monitoring tools to ensure maximum availability, performance and security of the application. The monitoring includes but is not limited to the following parameters:
Availability of the application
Accessibility of backend systems and services
Utilization of network interfaces
Utilization of persistent and volatile storage
Response times of the application
Response times of backend systems
Query times for database contents
Update status of systems
Userlane drives continuous backups of databases. With those database systems that support it, the database state can be restored to a previous state down to the second. Other databases are backed up regularly, e.g. every 24hrs. The backups are stored in the same datacenter region, but a different availability zone. Backups are retained for 30 days. These backups are treated as sensitive data. Only speciﬁc personnel can access these backups after an internal authorization process.