Security

Physical

All Mapp Fashion services and data are hosted within AWS's data centers. These data centers are built and run to high standards of physical security, redundancy, and resilience against other threats. Find more information here: AWS Compliance & Security Details.

In accordance with AWS best practices, all Mapp Fashion production services are deployed across two or more availability zones (distinct physical locations within a region).

Mapp Fashion uses the eu-west-1 AWS region, which is located in Ireland.

Monitoring

We keep extensive logs of activity occurring on instances we operate and of our AWS account, including:

• All AWS API calls via AWS Cloudtrail

• Webserver & application logs

• SSH connection logs

• Traffic logs

These logs are stored in a dedicated log storage service (i.e., not on the instances being monitored). We use AWS Guard Duty to analyze logs for suspicious behavior.

We also monitor a wide range of metrics, such as disk space, CPU usage, and health status. Where possible, failures are remedied automatically.

Network Access

Servers use AWS's IAM service to automatically rotate AWS API keys frequently. We follow the 'principle of least privilege' and, as such, servers use restricted access policies to have access to only the required resources.

Mapp Fashion users are granted AWS access upon request & reviewed periodically.

Network

Mapp Fashion uses AWS's Virtual Private Cloud service to place all of its resources in a private network. The only hosts exposed to the public internet are:

• Load balancers (these are load balancers operated by Amazon)

• SSH bastion hosts

Mapp Fashion staff requiring access to servers must connect to them via an SSH bastion host, which requires public key authentication & two-factor authentication. SSH keys are distributed to relevant hosts automatically.

Within the Mapp Fashion network, security groups restrict all inbound access by default; inbound rules are only added as needed. Network configuration changes are version-controlled and applied automatically.

We use the Amazon Web Application Firewall in front of our load balancers to mitigate Denial of Service attacks.

Operating System

Mapp Fashion services run Amazon Linux, a distribution provided by Amazon with a minimal default package/service set & hardened defaults. Critical patches are applied automatically.

Data

Data is stored encrypted at rest, either encrypted directly by Mapp Fashion (for example, backups use GPG) or Amazon-provided services such as full disk encryption. Data is protected in transit using either HTTPS (TLS 1.2 with modern cipher suites) or SSH as appropriate.

Our main database as Point in Time recovery (in 5-minute increments) for 30 days supplemented with daily backups.

Application

Mapp Fashion's core web applications are written using Ruby on Rails, which promotes secure development by framework-level handling of issues such as:

• CSRF attacks

• XSS attacks

• SQL injection

In addition, we use static code analysis tools as part of our deployment process.

User passwords are salted and hashed using strong algorithms (bcrypt or scrypt).