Last modified: 10th of November 2021
In case you need a PDF version, you can print this page or request one by sending an email to [email protected].
Information Security Statement
UbiOps (registered at the Dutch Chamber of Commerce under Dutch Analytics B.V. with registration number 66849381 and with its office at Wilhelmina van Pruisenweg 35, 2595 AN, the Netherlands) is committed to protecting its user’s data and information, using industry best standards to do so. We understand the importance of data security and do our utmost to ensure that data held and processed by us is protected, using state-of-the-art Internet security technologies and practices.
UbiOps recognizes that the confidentiality, integrity and availability of information and data created, maintained and hosted by UbiOps and its suppliers is vital to the success of the business and privacy of its customers. UbiOps views these primary responsibilities to be fundamental to the best business practice and to ensure compliance with all applicable laws, regulations and obligations.
UbiOps management actively carries out this policy to UbiOps employees.
October 2020, The Hague, The Netherlands
Yannick Maltha (CEO) and Victor Pereboom (CTO)
Various measures are taken to ensure the security and protection of data, intellectual property and other information stored, processed and exchanged using the UbiOps platform. This document describes the main security standards and features.
UbiOps is ISO 27001:2013 certified.
System Security measures
On UbiOps every user has a separate account with its own password. Password requirements are in line with the best practises. Furthermore, UbiOps has a built-in option for enabling two-factor authentication for all UbiOps users in your organization.
UbiOps also supports Single Sign On (SSO). This way customers can use their own authentication system.
Supported SSO providers:
- Google OAuth
- Microsoft OAuth 2.0
- Other systems upon request
User and Permission system
UbiOps has built-in functionality for managing users, including their roles and permissions. This provides a way to allow or restrict view and edit rights for all objects within UbiOps on a granular level. An example would be restricting the permissions of an employee to only the projects he or she is working on.
Projects and organizations
Deployments and pipelines are separated by projects within an organization. This gives great control over the amount of isolation that can be given. For example, within an organization a separate project can be created for every client.
Access to the UbiOps API is secured by time-limited, token-based access control. These tokens are linked to service users. These service users can be subjected to the same granular role-based access and permission management system as normal users.
Secure data storage
Data is encrypted, both in-transit and at-rest. Storage and retention of data in model requests and related logs can be controlled by the user. UbiOps is a platform intended for hosting data processing operations, not for long-term data storage.
UbiOps offers ways to manage secrets, like database credentials, securely outside the code uploaded by a user.
All the above is encrypted using AES-256 encryption standards.
Data storage and processing locations
The UbiOps SaaS platform runs on Google Cloud in the Europe-West region. All data being processed or stored within UbiOps is always within this region and will never be transferred to another region.
Backups and redundancy
Daily backups of UbiOps SaaS are made to minimize data loss in the event of a critical incident. This includes databases and model containers themselves. With minimal data loss it is also possible to get the system to a previously working state quickly, preventing downtime.
Redundancy in the UbiOps platform is applied on multiple levels. Google Cloud Platform applies redundancy to its servers. Furthermore, redundancy is applied in both databases as well as internal platform services.
Business Continuity & Disaster Recovery
UbiOps has systems in place to resume operation after an incident. These systems include but are not limited to:
- Regular encrypted backups to multiple storage facilities within the operating region.
- Fast transition of critical platform infrastructure to another data centre within the operating region in case of a data centre failure.
On premise additions
In an on-premise installation, UbiOps will run inside the virtual private cloud environment of the customer. UbiOps does not require any communication outside of the perimeters of the VPC environment and has no public facing endpoints in this respect. The customer has the option to set up additional networking and firewall services and rules, restricting access to UbiOps from outside the customer environment. Access control to the infrastructure resources where UbiOps runs will be controlled by the customer. It is important to note that, while this gives more flexibility to the security measures on an infrastructure level, the security on this level is the responsibility of the customer.
Information Security Incidents
Information Security Incident Management
An information security incident is defined by unexpected security events that can potentially compromise the information security of systems created by UbiOps or systems implemented using systems created by UbiOps.
Information Security Incidents can be reported by both externals as well as employees via the UbiOps support portal.
UbiOps has policies in place to handle these incidents.
All incidents that have any relation to criminal activities will be reported to the authorities.
Incident response and notification
In case of any identified vulnerabilities that might impact our users, we will inform them directly by email with information about the issue, the potential impact and measures we will take to fix the problem at hand. We will also inform the user on any measures they can take themselves to minimize the potential impact. Fixes and patches will be released on our SaaS solution as soon as they are ready. Customers will be notified beforehand of any impact on uptime, compatibility or performance related to these fixes.
On premise additions
Impact will be assessed on a case by case basis by one of our security experts. On-premise users will receive this assessment including an action plan to implement needed fixes. Fixes will be distributed in the form of a new release.
Development process & release management
Dedicated security personnel
All our developer team members are trained regularly on security and best development practices as a whole. However, several assigned developers, positioned in key areas, have received and keep receiving extra training on security. Together these security experts protect the security of the complete system.
UbiOps communicates its information security policy to all personnel, requiring employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
The UbiOps platform is developed using secure development standards. This means that great care is taken on logging changes and versions of the source code. Errors or bugs can be traced back through version history. The source code is also split into multiple parts, this eases access control and provides a separation of concerns.
Access to the UbiOps source code and all related development tools and platforms are secured using role based access control methods. Access is given only when needed. Password requirements are in line with the best practices. On top of this Two-factor authentication is mandatory, providing an extra layer of security.
Employees are required to have regular security checks on their computer systems. These checks include but are not limited to extensive virus and malware scans and manual system audits by our Security Manager. Furthermore, all systems are required to have encrypted storage solutions. Any form of removable media is forbidden.
Our software is developed using the principles of Agile Software Development (Scrum). New features will always be tested, developed and evaluated completely separate from the current main source code. When this development is done, the feature will be put up for a peer review. If the peer gives approval to the new code it can be accepted into the main source code after successful automated testing.
Unit tests & Integration tests are standard part of our development and release methodology. This also includes tests of security aspects. Automated integration tests are performed on every new version and installation of UbiOps.
A review of our internal security measures is performed periodically. This review uses a security checklist which is compiled using sources such as the OWASP and CIS benchmarks. This checklist has been verified with external Cyber Security Experts and priorities have been set accordingly. The topics addressed are:
- Technology: how to design and write software with security in mind. E.g., on the checklist are encryption of customer data, isolation of workloads using firewalls, container security.
- Company wide security measures: ensure that employees work securely and do not have more permissions than needed. This includes raising awareness of security policies within UbiOps, using 2FA for all company accounts, and different access levels for different roles in the company.
- Software development process: the way software is written and released in UbiOps applies to certain standards. Some examples are: separate development, staging and production environments, a small group of system administrators, use of a secrets manager for all access.
The SaaS version of UbiOps will be updated automatically when new features are ready and stable for normal operation. Users will be informed in advance about new releases at least 1 week in advance. In case of breaking changes a compatibility or conversion system will be implemented, allowing users to switch without problems. An example of one of these systems would be a compatibility layer to support deprecated API versions. Such systems will also receive security updates.
On premise additions
For on-premise installations, new functionality will be released and installed in agreement with the customer.