Probench Data Security

This document contains the details of the data security measure taken by 73bit Limited and its service provider’s viz. AWS and OVH. It also contains details on how securely the data is stored and transferred to the external location. It also contains the details of the backups taken by 73bit Limited.

Probench Data Security and Scalability

Is our data secure?
We take security very seriously.

All connections to our site are through SSL (encrypted HTTP).

Backups that are stored remotely are encrypted before being sent to the remote facility.

Each installation has its own separate database, so there is no risk of data being accidentally shared across organisations.

Does your service “scale”?
Our constraint is one of peak usage. The number of users and the number of questions within each of the questionnaires contribute to the number of responses that need to be recorded. The number of responses captured per minute then determines the load.

In 2016, we collected more than ~735,966 responses between January and March, with a peak of ~49,557 responses captured in one day.

Our load-balanced architecture allows us to add more web servers. Should we need to add more database capacity, we have a plan in hand to shard the database so that we could use multiple database servers. However, based on usage levels to date, our first response would be scale up the primary database server.

Is your data locked into our system?
All the data collected and stored using Probench is an Intellectual Property of our clients. As a matter of principle we make no claim to any of the data entered into the system by yourselves or your users. Due to there being no obvious industry standard, the system does not have any specific way (currently) to quickly move the surveys to another system. However, this is not by design. We would be happy to have a contractual clause affirming your access, at the most immediate practical date, to all the data stored within Probench. The export would have to be in a format agreeable to both parties (useful to you but practical for us to provide).

Server Security

Our servers are hosted with OVH a third-party service provider which is long into the hosting business. OVH take for Data Security and Continuation of services to us as listed below.

1. High security datacentres
2. Fire risk management
3. Network security
4. Server security
5. Electrical supply
6. Geographically distant datacentres
7. Anti-DDoS protection
8. Data confidentiality

Following link will provide you with the details of the measure OVH take for Data Security and Continuation of services to us:
https://www.ovh.com/us/about-us/security.xml

Database Backup

73bit will take incremental database backup every 1 hour and full database backup every 24 hours. When the survey is live for the company so there is no data loss and all the data is restorable and the same will allow investigation in case of any issue occurs.

Data Backups

We take daily backup of the data and the evidences uploaded by the users to the Amazon S3 cloud service. So in case of any issue on the server or any loss of data on the server we can get the data
from the Amazon Cloud service with a downtime not more than 4-5 hours. Also we store this data in an encrypted format.

The security used by the Amazon S3 Cloud service is answered in the some of the FAQs answered by Amazon on their site:

Security

Q: How secure is my data?
Amazon S3 is secure by default. Only the bucket and object owners originally have access to Amazon S3 resources they create. Amazon S3 supports user authentication to control access to data. You can use access control mechanisms such as bucket policies and Access Control Lists (ACLs) to selectively grant permissions to users and groups of users. You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3.

Q: How can I control access to my data stored on Amazon S3?
Customers may use four mechanisms for controlling access to Amazon S3 resources: Identity and Access Management (IAM) policies, bucket policies, Access Control Lists (ACLs) and query string authentication. IAM enables organizations with multiple employees to create and manage multiple users under a single AWS account. With IAM policies, companies can grant IAM users fine-grained control to their Amazon S3 bucket or objects while also retaining full control over everything the users do. With bucket policies, companies can define rules which apply broadly across all requests to their Amazon S3 resources, such as granting write privileges to a subset of Amazon S3 resources.

Customers can also restrict access based on an aspect of the request, such as HTTP referrer and IP address. With ACLs, customers can grant specific permissions (i.e. READ, WRITE, FULL_CONTROL) to specific users for an individual bucket or object. With query string authentication, customers can create a URL to an Amazon S3 object which is only valid for a limited time. For more information on the various access control policies available in amazon S3, please refer to the Access Control topic in the Amazon S3 Developer Guide.

Data Protection

Q: How durable is Amazon S3?
Amazon S3 Standard and Standard - IA are designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of
0.000000001% of objects. For example, if you store 10,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000,000 years. In addition, Amazon S3 is designed to sustain the concurrent loss of data in two facilities.

As with any environments, the best practice is to have a backup and to put in place safeguards against malicious or accidental users errors. For S3 data, that best practice includes secure access permissions, Cross-Region Replication, versioning and a functioning, regularly tested backup.

Q: How is Amazon S3 designed to achieve 99.999999999% durability?
Amazon S3 Standard and Standard - IA redundantly stores your objects on multiple devices across multiple facilities in an Amazon S3 Region. The service is designed to sustain concurrent device
failures by quickly detecting and repairing any lost redundancy. When processing a request to store data, the service will redundantly store your object across multiple facilities before returning SUCCESS. Amazon S3 also regularly verifies the integrity of your data using checksums.

73Bit’s Policy in case 73Bit Limited decides to dissolve

In case 73Bit Limited decides to close down its operations or discontinue with Probench, 73Bit is committed to setup Probench on the server provided by the client along with its source code and
database of the client.

However if there is a management change and Probench still exists with appropriate support the above commitments does not apply.