All around the world, forward-looking organizations across private and public sectors depend everyday on Holaspirit to keep their information safe and secure. We understand the importance of safeguarding this data at all cost, which is why we take security, availability, privacy, and most of all, transparency, very serious. This document will provide you with all the ins and outs of the way in which we approach security. If you have any questions whatsoever, please contact us.
All application code is stored on the Git code management repositories on the Github SAAS service.
All stored data is considered to be the exclusive property of your organization. This entails that only registered members -- part of the organization’s account -- own the exclusive right to access and consult company data.
- Data sealing is guaranteed by the software
- Our API is made in PHP on the Symfony framework
- The API relies on a ODM -- Doctrine -- to access the database. The Doctrine brick provides a so-called ‘filter’ mechanism for multi-client data management.
Deleting customer data
The owner of the platform can remove all data from the platform at any time. We delete the data immediately in a background task Backups of Holaspirit services are deleted within 1 year. The same goes out whenever you decide to delete your entire account – we do not store any deleted data on our servers.
Restitution of customer data
The owner of the platform can export all members, roles including all information and policies in Excel format. It’s also possible to export data using Holaspirit api.
- Before storage, all user password are encrypted by means of the SHA1 algorithm in combination with salt.
- Front-end applications -- website, desktop, and mobile applications -- authentication to the API in order to access data, is done via the OAuth 2 protocol
- Administrators can also integrate their Holaspirit platform with various SSO providers: Google or a service that provides SAML single sign-on (such as OneLogin, Okta)
Holaspirit provides detailed access logs which log every established connection to an account. Moreover, attributes such as the type of device used, and the respective IP address of connection, are automatically logged as well.
Logs of the servers are logged weekly and then saved for 1 year on a remote server. Server access logs are sent in real time to the OVH's Logs Data Platform with a 45-day retention.
The application logs are logged over 20 rolling days on the servers -- that is, the 21st day will then replace the oldest log. NewRelic's APM is used to analyze behavior and correct potential software anomalies. We're working on Prometheus, Alertmanager, Grafana with pushover integration.
In case of the unlikely event of any potential alert of escalation, the situation will be dealt with according to the level of severity. Please note that any potential incident will be treated as an immediate priority, regardless of its severity level. Furthermore, any potential software malfunctions reported by users are directly managed by our dedicated support team.
Lastly, for the sake of transparency, all incidents regarding Holaspirit status are shared on the Holaspirit status page.
Our service is being hosted and preserved in France, by Internet service provider OVH. The audited datacenter is considered to be at the highest level of security, SAS70 Type II certified, ISO27001, SOC 1, SOC 2 and SSAE16.
The servers are from OVH's public cloud; under Debian Linux 9 (Stretch). The Holaspirit software uses Nginx, PHP, MongoDB, and ElasticSearch in their latest stable version for Debian. All the services Mongodb, Elasticsearch, PHP are in specific Docker containers. The data is stored on SSDs. Servers are systematically reinstalled and all client data removed when a server is replaced at our host.
Each new Holaspirit release is tested on a staging environment, completely separated from the production environment. The same processes applies for deployment and software installations for both environments.
All the employee’s workstations are equipped with Mac OS or Linux operating systems in order to reduce virus risks.
Hostile attack prevention
OVH offers a protection service Anti-DDOS at the forefront. Firewalls are configured according to the approved industry standards -- complying with UFW IPTABLES rules.
Holaspirit supports the latest secure encryption suites and recommended protocols to encrypt all traffic.
- The transfer of data between Holaspirit and the users' workstations is secured via an AES-256 bit SSL certificate.
- Remote access to servers by our infrastructure teams is only possible with keys by means of SSH. SSH access by password is disabled.
We closely monitor the evolution of the cryptographic landscape and strive for quick upgrades to respond to emerging threats as they are discovered, whilst implementing best practices as they evolve.
Installations. Updates. Patches.
Our servers are updated continuously with the latest security patches.Server installations, updates, and software deployments are fully automated.
- The servers are installed via Ansible scripts. The scripts are tested regularly through a Vagrant machine.
- The software is automatically deployed as a Debian package sent by the CircleCi service when various automatic tests have been performed. Each deployment generates an artifact that allows a rollback on a specific version of the software. Putting into production is traced
A daily backup is made of the database on 7 days sliding on the server -- that is, the 8th day will then replace the oldest backup. Another backup is performed daily on OVH's object storage cloud, which allows a retention of 52 weeks.
The client files are replicated to OVH's object storage solution on a daily basis. They are saved on remote sites.
Hardware issues are managed by our infrastructure team. Escalation is managed with two vital tools.
- A Pingdom service which monitor the site through different places in the world
- A NewRelic alert system for software monitoring
The monitoring of Pingdom is accessible via holaspirit.statuspage.io.
The holaspirit.statuspage.io page is the primary means of communication that we use in case of a major incident or maintenance on the platform.
Performance and availability
The available bandwidth is 250 Mbps.
The performance of the platform and its availability are publicly made available on the page holaspirit.statuspage.io
Holaspirit staff members have high-level graduations and qualifications. They are trained in good practices on privacy and security.
External staff intervention
Only authorized OVH personnel can access the datacenter and network connectivity.
Monitoring and access control
We limit our staff to access certain services and data, as exclusively infrastructure and DevOps teams can access the production infrastructure. Each staff member can only access those services that are truly related to one’s job. What’s more, is that the access passwords of all the SAAS services are nominative.
In some specific and exceptional cases, an operation may require that a limited number of Holaspirit employees to be granted permission to access the customer data. For this particular case, the assessment of customer data may be required.