Versions Compared

Old Version 27

changes.mady.by.user Christoph Müller

Saved on

compared with

New Version Current

changes.mady.by.user Christoph Müller

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of contents

Table of Contents

We are constantly confronted with the same security, protection and safety questions. The Q&A below addresses all the cases we heard.

Please note, beforehand:

...

titleProduction data


Info

GRAVITY interacts with the HTML Tags in your applications DOM Tree. It never programmatically accesses any of the data below.

We guarantee by contract that the data we see is never accessed by our code. You may verify this on your own by inspecting our JavaScript code in your browser. This means, we never work with any of your business-critical data. The questions and answers below talk about GRAVITY content (data): thereby we mean content a content owner created and not your business-critical assets as we do not see or work with them.

Info
titleOn Premise

If you decided to host our backend On Premise. Naturally, physical protection, firewall configurations, server security and all other On Premise installations are out of our hands. We are happy to help you but can not guarantee the safety of your server in your data center.From a technical standpoint, our approach involves the calculation and storage of JQuery selectors, specifically from the BODY to the target element, utilizing the text() function solely for the target element. It's important to note that only the text of the target element and its descendants have the potential to be stored in our database, contingent upon the application's construction. Conversely, any text stemming from a form input will be disregarded, as inputs and scripts are not compatible with this function.

Table of contents

Table of Contents

Answers

How do you manage Security and Privacy in general?

...

The only data GRAVITY collects about a user is his email address and his learning progress. No other personal data is collected (not even a name or a number [of course the email may contain the name or parts of it]). Keep in mind that Gravity is an additional layer and therefore has no access to production data itself.

Do employees of Gravity Global AG have access to hosted customer data – like User IDs, audit trails and server logs.

Hosted GRAVITY instances are single tenant installations, running on isolated K8s containers. Access to any data is possible through the admin interface. The access configuration to the admin site is configured as part of the setup process. Normally Gravity Global AG employees have a dedicated admin user during the initial setup and configuration process. After that period, such admin user’s gets deleted, and the customers admin access accounts will be protected by a second factor. After that, absolutely no data can be seen or decoded by anyone expect the customer itself.

Where is my GRAVITY content (data) stored and is it in my control?

...

VariantResidency (all envs) Company control over location 
On Premise The customer companyYes
Swisscom Application CloudSwitzerland50:50. Within Swiss boundaries guaranteed by Swisscom Schweiz AG 
Microsoft AzureBy Choice, but EUNo
OpsOne SwitzerlandNo! Within Swiss boundaries guaranteed by OpsOne AG.
OpsOne - EUGermanyNo! Within German boundaries.

Do I keep ownership over the GRAVITY content I enter (data)?

...

On premise yes, in Swisscom Application Cloud too. OpsOne, Yes. Azure subject to research.

...

The infrastructure we currently use is protected by Swisscom OpsOne (App Security scanner - but it also depends on your hosting type). As written on top, when hosting the application yourself On Premise you are responsible for a great part of security yourself.

...

Transit: HTTPS is used for transit and only hashed passwords are transmitted. Authenticated users are identified by a HTTP-Only-Cookie. 

Rest: In our case Swisscom OpsOne encrypts the data and keeps it safe (Linux Unified Key Setup ( LUKS)). On premise: the data safety cannot be guaranteed by Gravity Global AG or its cloud providers. 

...

Do you work a secure software development life cycle and implement secure coding standards/practices, security audit and code reviews before application/software is released to production?  

We (startup) currently trust in code reviews by our Minsk development team. Also, our investor undertook security audits when accepting our latest version. Dependencies (with some exceptions in the inject script where we use a fork of jQuery) are kept up to date firstly by the development team and secondly by Maven   and our CI pipeline.   As Software Testing Standard we use ISO 29119.  On all major releases, we let a Swiss Security Company conduct penetrations tests against our services and code. The latest penetrations tests reports will be sent to any interested parties, after having the appropriate NDA in place.

Is there a user access management (incl. user enrolment, user password management, privilege management, secure storage of user credentials, etc.)  available?

...

Can I use my own companies authentication provider (IdP) utilising SAML for seamless SSO?  

Resources to build are available at customer’s costs (since the solution is proprietary and not yet supported by GRAVITY).  Yes - see configuration  

Do you guys offer any business continuity and disaster recovery management (certifications)?  

...

Depends on hosting choice. On Premise you are responsible for your servers. Swisscom Application Cloud offers SLA’s for partners and customers which we would acquire on the customers behalf (paid by the customer). Microsoft Azure has different subscriptions which can be chosen from. Since GRAVITY is not business critical and does not interfere with daily business, cheaper plans are advised.   If Gravity Global AG provides the hosting, we generally offer a 99% uptime of the service. Details are part of the offer and negotiation between Gravity Global AG and the customer.

Do you outsource any of IT or IT security functions to third-party service provider?  

...

Data-retention: Depends on hosting choice. Available through cloud provider’s service offering. 

On the website I see the following sentence “User activity is continuously monitored and progress can be tracked.” How do you ensure GDPR compliancy?

We are GDPR compliant, we collect no personal data besides the email address, we stated this in our wiki and at the top but here is an excerpt:

...

For our portfolio I need a detailed explanation of your product, is there one?

Yes, check it at Gravity GRAVITY overview.

What JavaScript files will you place on my application server?

None. Check our Gravity GRAVITY overview to understand how GRAVITY works. If you chose the hosting option On Premise there will be JavaScript files inside your data center but 99.99999% not on the same server as your application.

...

Detailed plugin descriptions are available at: Plugin Version 2.x Browser Extensions
There are only two things stored within the plugins local storage: A TTL and an URL.

...

The plugin will only be installed on the clients and not on the server.
Detailed plugin descriptions are available at: Plugin Version 2.x Browser Extensions

What kind of application controls such as e.g. logging mechanism, data quality check, error messages are implemented to ensure completeness, integrity, accuracy and authorization of data?

...

Yes. In on-premise environments sometimes private CA are used. GRAVITY has a mechanic to import private certificates in deployed .jar-files and docker containers. (More information)

SaaS: What Web Application Firewall (WAF) is used?

Yes. OpsOne uses ModSecurity to additional protection against application level attacks such as cross site-scripting and SQL injections. By default, the core rules set will be loaded, and will block common vulnerabilities and zero day attacks by adding some more global rules. But Gravity Global AG will configure additional settings in accordance of the GRAVITY configuration and the customers requests.

Are Vulnerabilities Scans applied to the builds?

Yes. When we build our software we scan the built containers with Harbour. The containers are scanned with the Library Trivy.

What are your partners regarding the hosting infrastructure?

Regarding hosting infrastructure, we work with OpsOne AG in Zurich. OpsOne manages the Kubernetes infrastructure, storage, and backup for us. The hardware is housed within NTT’s Zurich 1 Data Center and the backup location DATAROCK in Nottwil (LU). For European hosting the hardware is housed in the NTT Rechenzentrum Frankfurt 1, with backuplocation in  Data Center Park Nürnberg. 

OpsOne AG is ISO/IEC-27001:2013 certified and member of "Swiss Hosting".