What are your security practices? (Vendor Security Review / Due Diligence)

Here you can find all the information needed for your Vendor Security Review to ensure Knapsack Pro's security meets industry standards and best practices.

Terms and Conditions

Knapsack Pro's Terms and Conditions.

Personal Data

We, as your vendor, don't process your customer's data.

We are not a Processor, in terms of GDPR, of personal data (Data Subject) in relation to your organization (Controller).

See the details in the Privacy Policy.

Hosting and Database

Knapsack Pro is hosted on Heroku.com. On https://www.heroku.com/policy/security you can find the following information:

• Security Assessments and Compliance
• Penetration Testing and Vulnerability Assessments
• Network Security
• Data Security

The database is hosted by Amazon Web Services in Ireland, Europe (eu-west-1). In particular, Knapsack Pro uses the AWS Relational Database Service (RDS) with encryption at rest.

All the connections with the Knapsack Pro API are protected with SSL.

PCI Compliant Payments

Knapsack Pro uses BraintreePayments.com for encrypting and processing credit card payments. Thanks to Braintree, Knapsack Pro is PCI compliant.

We passed the Vulnerability Scan performed by Security Metrics for knapsackpro.com:

We passed the Vulnerability Scan performed by Security Metrics for api.knapsackpro.com:

Collected Data

Knapsack Pro client libraries collect a minimal amount of data about your project:

• Branch name
• Commit hash
• Number of parallel CI nodes
• CI node index
• File paths of your tests (e.g., spec/models/user_spec.rb)
• Tests execution time
• Masked user data for users triggering your CI builds or making git commits (e.g. Jo** Sm*** <jo**.sm***@ex*****.co*> for John Smith <john.smith@example.com>)

Additionally, you can encrypt tests file paths and/or branch names on your CI node with a salt before they are sent to the Knapsack Pro API. In other words, only you can decrypt the tests file paths or branch names.

Knapsack Pro does not have access to your project source code/repository. Knapsack Pro Admins can see the data listed above if you need help with debugging, but are not able to decrypt your data without the salt.

Security Measures for Knapsack Pro Service

Physical Security Controls

Knapsack Sp. z o.o. utilizes both Heroku (a data hosting tool owned by Salesforce, Inc.) and AWS RDS (owned by Amazon Web Services, Inc.) to support the Knapsack Pro service. The physical security of data centers used by these providers is a key aspect of protecting customer data. AWS and Heroku each employ their own robust physical security measures at their respective data centers.

AWS Physical Security Controls

AWS hosts its infrastructure in facilities certified to meet high standards such as ISO 27001, ensuring stringent physical security controls are implemented. AWS data centers include the following security measures:

• Perimeter Security: AWS data centers are protected by perimeter fencing to prevent unauthorized entry. Vehicle entry points are controlled with security gates and barriers to manage access.

• Access Control Systems: AWS utilizes multi-layered access control mechanisms, including badge readers, biometric authentication (such as fingerprint or iris scans), and man-traps that limit direct access to secure areas.

• Surveillance: Continuous video surveillance is in place, with CCTV cameras strategically positioned to monitor all entry points and sensitive areas. The surveillance footage is retained and reviewed as needed to detect and investigate incidents.

• On-Site Security Personnel: Security guards are stationed at AWS data center locations 24/7, ensuring an immediate response to any suspicious activity. The guards are trained to manage and respond to various security incidents effectively.

• Authorized Staff: must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

• Environmental Security: AWS deploys motion sensors throughout the facilities to detect movement within secure areas. Alarm systems are configured to trigger alerts in case of unauthorized access or environmental issues, such as fire or flooding. Environmental controls like fire suppression systems and HVAC (Heating, Ventilation, and Air Conditioning) are also implemented to protect equipment and maintain optimal operating conditions.

• Physical Barriers and Restricted Zones: AWS data centers are segmented into different zones with physical barriers that limit access to high-security areas. Only authorized personnel with specific credentials can enter these restricted zones, further enhancing security.

Heroku Physical Security Controls

Heroku leverages AWS infrastructure for hosting; thus, the physical security controls at AWS data centers also apply to data hosted by Heroku. In addition, Heroku ensures adherence to industry standards and has implemented its own security measures at facilities under its direct control. Heroku's approach to physical security includes:

• Access Control: Heroku employs strict access control systems at its offices and other facilities. Only authorized personnel have access. As a condition of employment all Heroku and Salesforce employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.

• Monitoring and Surveillance: While leveraging AWS for physical hosting, Heroku complements this with additional monitoring measures at locations under its direct control, ensuring customer data remains secure.

Monitoring and Response Tools

AWS and Heroku employ various security monitoring tools to detect and respond to irregularities.

• AWS: AWS uses Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Security Information and Event Management (SIEM) solutions. AWS also maintains Security Operations Centers (SOC) staffed by trained personnel who provide round-the-clock monitoring and response to any potential incidents.

• Heroku: Heroku complements these efforts with a proactive vulnerability management program and a bug bounty initiative to detect and remediate vulnerabilities effectively. Additionally, Heroku relies on AWS's SOC and security tools to ensure that physical and digital security needs are met.

Data Centers

Amazon’s data center operations have been accredited under:

• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
• PCI Level 1
• FISMA Moderate
• Sarbanes-Oxley (SOX)

Heroku Vulnerability Management

Heroku vulnerability management process is designed to remediate risks without customer interaction or impact. Heroku is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Heroku’s environment, ranked based on risk, and assigned to the appropriate team for resolution.

New systems are deployed with the latest updates, security fixes, and Heroku configurations and existing systems are decommissioned as customers are migrated to the new instances. This process allows Heroku to keep the environment up-to-date. Since customer applications run in isolated environments, they are unaffected by these core system updates.

To further mitigate risk, each component type is assigned to a unique network security group. These security groups are designed to only allow access to the ports and protocols required for the specific component type. For example, user applications running within an isolated dyno are denied access to the Heroku management infrastructure as each is within its own network security group and access is not allowed between the two.

Heroku Application Security

Heroku undergo penetration tests, vulnerability assessments, and source code reviews to assess the security of our application, architecture, and implementation. Our third party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. Heroku works closely with external security assessors to review the security of the Heroku platform and applications and apply best practices.

Issues found in Heroku applications are risk ranked, prioritized, assigned to the responsible team for remediation, and Heroku’s security team reviews each remediation plan to ensure proper resolution.

Summary

These combined efforts ensure that Knapsack Pro's data is managed in a secure environment, leveraging the best practices from both Heroku and AWS to address physical security, monitoring, and incident response needs.

Additional information:

• Heroku Security
• Salesforce owns Heroku and maintains a comprehensive set of compliance certifications and attestations
  • Vulnerability/Penetration Report Summary - Heroku - Attestation of the latest vulnerability test. It does not contain details of vulnerabilities or findings and is intended only to provide information on the tests performed and scope of testing. Vulnerabilities discovered during testing are tracked and resolved in accordance with corporate policy and industry best practice. A third party assessment of vulnerability management and resolution process can be found in the SOC 2 report.
  • SOC 2 Report - Heroku - The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The reports cover IT General controls and controls around availability, confidentiality and security of customer data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.
• AWS Cloud Security
• AWS Security and compliance