Security Whitepaper
Effective date: July 20th, 2019
You can find a high-level overview of our Privacy and Terms of Service here.
Our Mission
Technology has transformed retail over the past decade. It’s moved from a product-centric to a consumer-centric world: consumers want to form a relationship and the products they buy are extensions of who they are.
At FeatherX, we are driven by the values and the mission of the brands we work side-by-side with them to help solve their biggest challenge - building brand trust and customer loyalty.
In Maslow’s pyramid of basic human needs: after food, air, and water, the next most crucial needs are to be loved, and to be understood. With everything we build here at FeatherX, we aim to make your customers feel:“This brand gets me like no other”
We place a strong emphasis on making sure that our values and incentives are aligned with the brands we work with. We don’t sell customer and purchasing data. We want to grow with our partners. On this end, we understand brands highly value their customer data and at FeatherX, we design platforms and applications to meet these a high bar of security requirements as well as exceed relevant industry security protocols and standards. We're committed to being transparent about our security practices and helping you understand our approach.
At FeatherX, we are driven by the values and the mission of the brands we work side-by-side with them to help solve their biggest challenge - building brand trust and customer loyalty.
In Maslow’s pyramid of basic human needs: after food, air, and water, the next most crucial needs are to be loved, and to be understood. With everything we build here at FeatherX, we aim to make your customers feel:“This brand gets me like no other”
We place a strong emphasis on making sure that our values and incentives are aligned with the brands we work with. We don’t sell customer and purchasing data. We want to grow with our partners. On this end, we understand brands highly value their customer data and at FeatherX, we design platforms and applications to meet these a high bar of security requirements as well as exceed relevant industry security protocols and standards. We're committed to being transparent about our security practices and helping you understand our approach.
People Security
All FeatherX employees are required to understand and follow internal policies and standards. Background checks are performed to screen all employees. Security training is mandated as part of the onboarding process. Topics covered include device security, acceptable use, preventing spyware/malware, physical security, data privacy, account management, and incident reporting, among others.
Application Security
Secure Software Development Lifecycle
Best practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to FeatherX source code repositories requires strong credentials and two-factor authentication.
Secure by Design
All features are reviewed by a team of engineers as soon as they are conceived. Members of the FeatherX team have substantial experience working with and building secure technology systems. We believe in making every feature “secure by design”, hence we plan all functionalities with security in mind to protect the platform against security threats and privacy abuses.
We leverage modern browser protections, such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
We leverage modern browser protections, such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
Security Testing
Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies to independently verify our applications.
Authentication
FeatherX allows users to login with Shopify accounts using OAuth 2.0, the industry standard for authorizing secure access to external apps without exposing their account credentials. FeatherX does not receive or store user passwords when using OAuth. We implement the most secure version of the OAuth 2.0 authorization code grant to mitigate attacks that could leak the user's access token. Both access tokens and refresh tokens are encrypted at rest using AES-128 encryption.
This login feature has been extensively tested against common OAuth attacks including but not limited to Cross-Site Request Forgery (CSRF) and misconfigurations of the redirect url by an independent security testing company.
FeatherX encrypts Microsoft Exchange credentials at rest using AES-128 encryption and in transit using Secure Sockets Layer (SSL)/Transport Layer Security (TLS 1.2). Credentials are only accessed when communicating with the customer's Microsoft Exchange server using Microsoft's Exchange Web Services API. Users can revoke access from FeatherX at any time and request all their data in FeatherX to be deleted.
This login feature has been extensively tested against common OAuth attacks including but not limited to Cross-Site Request Forgery (CSRF) and misconfigurations of the redirect url by an independent security testing company.
FeatherX encrypts Microsoft Exchange credentials at rest using AES-128 encryption and in transit using Secure Sockets Layer (SSL)/Transport Layer Security (TLS 1.2). Credentials are only accessed when communicating with the customer's Microsoft Exchange server using Microsoft's Exchange Web Services API. Users can revoke access from FeatherX at any time and request all their data in FeatherX to be deleted.
Network Security
Encryption in transit
To protect data in transit between FeatherX's apps and our servers, FeatherX uses SSL/TLS during data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. SSL/TLS is further used to encrypt the traffic between FeatherX servers and FeatherX databases within the same data center. FeatherX monitors the changing cryptographic landscape and upgrades its cipher suite settings as the risks change.
In our web application, we flag all authentication cookies as Secure and enable HTTP Strict Transport Security (HSTS) with "includeSubDomains" and "preload" enabled. Our web domain is included in the HSTS Preload list for all major browsers which is maintained at https://hstspreload.org/ Together with SSL/TLS and FeatherX public certificates, HSTS protects against man-in-the-middle attacks and ensures that FeatherX apps only communicate with FeatherX servers.
In our web application, we flag all authentication cookies as Secure and enable HTTP Strict Transport Security (HSTS) with "includeSubDomains" and "preload" enabled. Our web domain is included in the HSTS Preload list for all major browsers which is maintained at https://hstspreload.org/ Together with SSL/TLS and FeatherX public certificates, HSTS protects against man-in-the-middle attacks and ensures that FeatherX apps only communicate with FeatherX servers.
Network Isolation
FeatherX divides its systems into separate networks using logically isolated Virtual Private Clouds in Amazon Web Services data centers. This setup protects sensitive data by providing isolation between machines in different trust zones. Systems supporting testing and development activities are hosted in a separate network from systems supporting FeatherX's production website. Customer data only exists and is only permitted to exist in FeatherX's production network, its most tightly controlled network.
Network access to FeatherX's production environment from open, public networks (the Internet) is significantly restricted. Only network protocols essential for making FeatherX's service work are open at FeatherX's perimeter. All network access between production hosts is restricted using security groups to only allow authorized services to interact in the production network.
Our infrastructure and applications are monitored using standard health checks and log watchers. This helps detect systems that are malfunctioning as well as potential intrusions. Our on-call engineering team is responsible for investigating and addressing issues as they emerge.
Network access to FeatherX's production environment from open, public networks (the Internet) is significantly restricted. Only network protocols essential for making FeatherX's service work are open at FeatherX's perimeter. All network access between production hosts is restricted using security groups to only allow authorized services to interact in the production network.
Our infrastructure and applications are monitored using standard health checks and log watchers. This helps detect systems that are malfunctioning as well as potential intrusions. Our on-call engineering team is responsible for investigating and addressing issues as they emerge.
Physical Security
Data center security
FeatherX leverages Amazon Web Services (AWS) data centers for all production systems and customer data. AWS offers state-of-the-art physical protection for the servers and complies with an impressive array of standards. For more information on AWS Data Center Physical Security, see the AWS Security Whitepaper.
Office and Digital Equipment Security
A set of policies and procedures have been implemented to address the security posture of our workstations and laptops. All employee computers comply with these standards for device security. We require computers to have strong passwords, full disk encryption and automatic lock when idle.
Data Security
We are committed to the goals of confidentiality, integrity, and privacy of our customer data by employing a multifaceted approach to data security.
Encryption at rest
All data at rest in FeatherX's production network is encrypted using 256-bit Advanced Encryption Standard (AES). FeatherX leverages AWS Key Management Service (KMS) to manage encryption keys. Keys are never stored on disk, but are delivered at process start time and retained only in memory while in use. The most sensitive customer data such as transaction data, contracts, and access tokens are further encrypted in our database and in-memory storages such that the plaintext never exists on FeatherX databases at any point in time. To ensure the security of our database, encryption keys are rotated regularly.
While analyzing the data, the transaction-level data is fully anonymized and aggregated so as to ensure that the transactions cannot be linked to any customer. This ensures that we can continue to deliver immense value while fully respecting the integrity of your data.
While analyzing the data, the transaction-level data is fully anonymized and aggregated so as to ensure that the transactions cannot be linked to any customer. This ensures that we can continue to deliver immense value while fully respecting the integrity of your data.
Employee Access to Customer Data
No customer data persists on employee laptops. We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, all actions taken by the authorized employee are logged. Upon termination of work at FeatherX, all access to FeatherX systems is immediately revoked.
Audit Trails
All actions taken to make changes to the infrastructure or to access customer data for specific business needs are logged for auditing purposes. In order to protect end user privacy and security, only a small number of engineers on the infrastructure team have direct access to production servers and databases.
Employee Authentication
Every FeatherX employee is provided with a secure password manager account and is required to use it to generate, store, and enter unique and complex passwords. The use of a password manager helps avoid password reuse, phishing, and other behaviors that reduce security. All access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords, passphrase-protected SSH keys, a Virtual Private Network (VPN), and two-factor authentication is used to shield mission critical systems.
Server Hardening
Servers deployed to production, as well as bastion hosts used to access production servers, are hardened by disabling unnecessary and potentially insecure services, removing default passwords, and applying FeatherX's custom configuration settings before use. We setup our systems following the Center for Internet Security (CIS) Benchmark recommendations. CIS Benchmarks are consensus-based configuration guidelines developed by experts in US government, business, industry, and academia to help organizations assess and improve security.
Privacy features
FeatherX is built upon being able to store all the user generated content that exists on different social channels like Instagram, Facebook, and all review systems. A set of administrators are given access to upload, sync and moderate this content.
The administrators can choose to which particular set of reviews and photos you allow to be shown on the widget. The API that powers the widget is read-only and does not allow any malicious third party to access your protected customer data.
The administrators can choose to which particular set of reviews and photos you allow to be shown on the widget. The API that powers the widget is read-only and does not allow any malicious third party to access your protected customer data.
Legal
Compliance
Compliance with applicable regulations, standards and industry best practices protect us and our customers' sensitive information in ways that are testable and verifiable.
FeatherX is hosted in Amazon Web Services (AWS) data centers, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001 and PCI DSS. More information can be found here.
FeatherX is hosted in Amazon Web Services (AWS) data centers, which are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001 and PCI DSS. More information can be found here.
Disaster Recovery and Business Continuity
FeatherX customer data is regularly backed up each day to guard against data loss scenarios. All backups are encrypted both in transit and at rest using strong industry encryption techniques. All backups are also geographically distributed to maintain redundancy in the event of a natural disaster or a location-specific failure. FeatherX uses third-party monitoring services to track availability, with engineers on call to address any outages.
FeatherX is setup to operate from geographically distributed locations. By leveraging cloud resources, FeatherX infrastructure and customer support teams can support your business at any time.
FeatherX is setup to operate from geographically distributed locations. By leveraging cloud resources, FeatherX infrastructure and customer support teams can support your business at any time.
Contacting the company
We take security seriously at FeatherX. Customers using our service expect their data to be secure and confidential. Safeguarding this data is a critical responsibility we have, and we work hard to maintain that trust.
If after reading this whitepaper you have any further questions, please don't hesitate to contact our CEO directly at tanay@featherx.ai
If after reading this whitepaper you have any further questions, please don't hesitate to contact our CEO directly at tanay@featherx.ai