1. Documentation
  2. Technical Documentation

Advanced technical and organisational security mechanisms of Basking.io

Data and IT Security at Basking is the highest priority. We have made enterprise-grade data security one of our main benefits and key differentiators by making use of advanced security mechanisms to ensure the highest level of security, reliability, redundancy, and scalability. Our AI and Wifi based workplace occupancy analytics platform is enterprise-ready!

 

 Basking-Security-236x300   SOC-2-292x300

 

This article describes the technical and organisational security mechanisms in place to ensure the maximum IT security standards.

 

SOC 2 Type II is at the center of our security mechanisms. Basking has been certified by  Prescient Assurance, and the SOC 2 Type II audit report can be accessed upon request here.

Technical Security Mechanisms

Technical security mechanisms are technical techniques and tools used by Basking that are required to increase the security of our system at different levels.

– Full Encryption

At Basking, we encrypt all data during traffic and at rest. Our encryption standard uses a symmetric algorithm called AES-256-GCM. We use AWS KMS to store the encryption keys.

– Automatic Backups

Basking makes several automated backups at different steps in our data processing pipeline. This ensures quick and seamless recovery from a possible failure.

Backups are kept within the same private network and are never sent through the internet. They are also encrypted using our strong encryption standard.

– Serverless Architecture

Our serverless architecture is very efficient, flexible and easy to manage. It is built following AWS’ Well-Architected Framework and has the following major benefits:

  • Operational Excellence
  • Security
  • Reliability
  • Performance Efficiency
  • Cost Optimisation

Especially on the security side, the serverless architecture enables us to delegate many of the critical security topics to AWS, as described in the shared responsibility model. Here, AWS is responsible for the security of the cloud, which includes everything from physical servers, storage and the services offered by AWS.

– Private Network + Strong Gate Keeper

All our data processing pipeline and storage is totally decoupled from the internet. All systems live and communicate within a private network.

The only access to the internet is performed via our API Gateway, which accepts only encrypted connections via https. The API gateway is secured additionally with AWS Shield, a managed DDoS protection system.

API Gateway is built with security and resilience in mind and uses AWS’ vast IT infrastructure capabilities to scale horizontally and follow the demand.

Management access to the cloud is possible only for selected employees and works only through an encrypted SSH tunnel from whitelisted IP addresses.

– Regular Third-Party Vulnerability Tests

Basking works with Intruder.io, a cybersecurity company specialised in vulnerability scans and finding cybersecurity weaknesses. Intruder.io scans the Basking systems constantly and issues alerts if a security breach has been found.

Feel free to get in contact if you require the automated vulnerability assessment results.

– Regular Third-Party Penetration Tests

Our IT-Security partner intruder.io performs regular penetration tests on our infrastructure. They test our app, APIs, and other relevant endpoints. We fix all found vulnerabilities according to the criticality as stipulated in our remediation plan.

Feel free to get in contact if you require the penetration test results.

– Strong Passwords and MFA for the admin interface

All access to our systems is secured with strong passwords with strict expiration dates. MFA is mandatory. Additionally, user-specific passwords are not shared among employees.

– Automatic Logout with Customizable Idle Time

Basking offers an automatic logout mechanism for idle users in order to increase cyber security. Once logged out, tokens will be invalidated and only the username and password can be used to login again.

The logout time can be configured independently by organizations.

– CI/CD Deployment Pipeline

Our CI/CD practice enforces automation in our development and deployment practices. This automation includes automatic static code review, manual code review by management and QA. All new features must pass these stages before they are released.

At Basking, we release new versions of our software continuously, which allows us to stay on top of potential security issues.

– Automatic Code Reviews

Every deployment of code and architecture undergoes a series of automatic and manual code reviews to ensure compatibility. The tests include

  • Static lint and code review
  • Automatic test routines
  • Code review by management
  • QA

– Architecture as Code Principle

We treat our infrastructure as code, and it follows the same CI/CD Deployment Pipeline.

– Centralised logs, Dashboards and Alerts

Finally, keeping an eye on our infrastructure is essential. Since we have all logs centralised, we can use tools like AWS CloudWatch to visualise the key elements and issue alerts if anomalies (deviations from expected behaviour) happen.

Organisational Security Mechanisms

– Strong, Comprehensive, and GDPR compliant Data Processing Agreement

Our Data Processing Agreement is the centrepiece of our services. It defines the boundary of what we do and how we do it. It demands strict data privacy mechanisms like pseudonymization and anonymization. By applying this mechanisms, Basking significantly reduces the risk of the data we process.

– Principle of Least Privilege

The principle of least privilege is important to limit the access to key components only to the employees or systems that are explicitly required. We make extensive use of access policy documents in our infrastructure and define different access levels and restrictions for each service we use.

– Strong Internal IT Security Policy

Our employees and third party contractors must follow our strong security policy. It governs the way we work and the tools we use, and it is inline with modern security practices.

– Employee and Partner Training

Basking employees and partners are trained during their onboarding in the topics of data privacy and IT security. Training is also repeated regularly to ensure all existing and new policies and understood and implemented.

Your IT Security Review

Usually, our customer’s IT security team will require more details to perform the full IT security review for Basking. We are here to help, please don’t hesitate to contact us.

 

Tags: