Security

Nblocks is certified according to ISO/IEC 27001:2013 which is an internationally recognized standard that provides a framework for information security management.

ensureBy undergoing the certification process, we implemented an information security management system that meets international standards which ensures nblocks follows industry best practices when it comes to managing the security and confidentiality of information and data.
‍
A great milestone and a symbol of our ongoing commitment to data security and privacy protection.

Nblocks is hosted in a Virtual Private Cloud (VPC) in Amazon Web Service (AWS). AWS data centers practice the highest standards in both physical and digital protection against data breaches and are certified with ISO 27001 amongst others. More information about the Data Protection of AWS can be found at https://aws.amazon.com/compliance/data-protection/

All application and database data both in transfer and at rest are encrypted and the only entry points to Nblocks infrastructure from the outside world are port 80 and 443. The sole purpose of port 80 is to gracefully redirect traffic to the encrypted HTTPS port 443.Data in transit over open networks are encrypted using HTTPS/TLS.

On the infrastructure level access to production environments with databases and file storage are completely restricted. Only system administrators that are responsible for operation and maintenance can temporarily access data during a set time window, geographical place and key pair. This access is granted case by case by the CTO.

We use an independent third party that continuously monitors our applications for known weaknesses and vulnerabilities. We also use AWS Trusted Advisor to scan and keep the infrastructure protection up to date.

Nblocks reviews its frameworks and updates on a recurring basis with a monthly security review. Vital patches and upgrades are prioritized in our 2-week sprint schedule, and our team can initiate an escalated update of the system if a critical update is released from any framework used.

We work with code reviews, automated tests and vulnerability scans. The software includes automated tests that test known ways of penetrating the software and tries to access resources that should not be granted. Every code change is reviewed from a security perspective and only the CTO can approve a code change for a production release.