Security Q&A

GRAVITY interacts with the HTML Tags in your applications DOM Tree. It never programmatically accesses any of the data below.

We guarantee by contract that the data we see is never accessed by our code. You may verify this on your own by inspecting our JavaScript code in your browser. This means, we never work with any of your business-critical data. The questions and answers below talk about GRAVITY content (data): thereby we mean content a content owner created and not your business-critical assets as we do not see or work with them.

From a technical standpoint, our approach involves the calculation and storage of JQuery selectors, specifically from the BODY to the target element, utilizing the text() function solely for the target element. It's important to note that only the text of the target element and its descendants have the potential to be stored in our database, contingent upon the application's construction. Conversely, any text stemming from a form input will be disregarded, as inputs and scripts are not compatible with this function.

Table of contents

Answers

How do you manage Security and Privacy in general?

Security and Privacy is a ‘major topic’ for Gravity Global AG. Mainly because we are selling our products to Banks and Infrastructure Companies and have to pass their Security Review. Therefore, we code to be compliant with the EU’s GDPR guideline and take great care of the vulnerability of the web app’s API as well the scripts we run on the client’s browsers.

Security is part of our ISO 29119 based Software Testing Standard. All testing protocols, for the installed versions of GRAVITY, can be request for internal review by any customer.

Your name, personal data and tracking, what is tracked?

The only data GRAVITY collects about a user is his email address and his learning progress. No other personal data is collected (not even a name or a number [of course the email may contain the name or parts of it]). Keep in mind that Gravity is an additional layer and therefore has no access to production data itself.

Do employees of Gravity Global AG have access to hosted customer data – like User IDs, audit trails and server logs.

Hosted GRAVITY instances are single tenant installations, running on isolated K8s containers. Access to any data is possible through the admin interface. The access configuration to the admin site is configured as part of the setup process. Normally Gravity Global AG employees have a dedicated admin user during the initial setup and configuration process. After that period, such admin user’s gets deleted, and the customers admin access accounts will be protected by a second factor. After that, absolutely no data can be seen or decoded by anyone expect the customer itself.

Where is my GRAVITY content (data) stored and is it in my control?

This depends on your hosting type:

VariantResidency (all envs) Company control over location 
On Premise The customer companyYes
Microsoft AzureBy Choice, but EUNo
OpsOne SwitzerlandNo! Within Swiss boundaries.
OpsOne - EUGermanyNo! Within German boundaries.

Do I keep ownership over the GRAVITY content I enter (data)?

This depends on your hosting type:

On premise yes, in Swisscom Application Cloud too. OpsOne, Yes. Azure subject to research.

Are you guys certified for any of the following: IT security management, maintained information security, data privacy compliance, or service organization and IT operations?

Gravity Global AG has not yet such certification. 

Are there any security policies or security white-papers (to understand the implemented security safeguards frameworks and controls) available? 

The infrastructure we currently use is protected by OpsOne (App Security scanner - but it also depends on your hosting type). As written on top, when hosting the application yourself On Premise you are responsible for a great part of security yourself.

The application itself uses HTTPS, Hash-Salted Passwords and HTTP-Only-Cookies to ensure authentication and authorisation.

Users can be expelled anytime. 

How is the GRAVITY content (data) protected (encrypted) in-transit and at-rest, incl. data backup?  

Transit: HTTPS is used for transit and only hashed passwords are transmitted. Authenticated users are identified by a HTTP-Only-Cookie. 

Rest: In our case OpsOne encrypts the data and keeps it safe (Linux Unified Key Setup ( LUKS)). On premise: the data safety cannot be guaranteed by Gravity Global AG or its cloud providers. 

Can anyone on the internet query my backend to get my URL structure?

No, the URLs are SHA-256 hashed and never seen plain text.

Do you work a secure software development life cycle and implement secure coding standards/practices, security audit and code reviews before application/software is released to production?  

Dependencies (with some exceptions in the inject script where we use a fork of jQuery) are kept up to date firstly by the development team and secondly by Maven and our CI pipeline. As Software Testing Standard we use ISO 29119. On all major releases, we let a Swiss Security Company conduct penetrations tests against our services and code. The latest penetrations tests reports will be sent to any interested parties, after having the appropriate NDA in place.

Is there a user access management (incl. user enrolment, user password management, privilege management, secure storage of user credentials, etc.)  available?

Yes. Depending on your chosen level of integration, passwords are stored SHA-256 hashed and salted in the GRAVITY Database (depending again on question 1 where this will be). You can manage all of that in the admin backend we also provide.

Please note that if we would build your SSO, the password/token setup needs to be engineered. 

Can I use my own companies authentication provider (IdP) utilising SAML for seamless SSO?  

Yes - see configuration  

Do you guys offer any business continuity and disaster recovery management (certifications)?  

Available through cloud provider’s service offering.  

What SLA's are available (data/service reliability SLA - availability, RTO, RPO)? 

Depends on hosting choice. On Premise you are responsible for your servers. If Gravity Global AG provides the hosting, we generally offer a 99% uptime of the service. Details are part of the offer and negotiation between Gravity Global AG and the customer.

Do you outsource any of IT or IT security functions to third-party service provider?  

No. 

Is there technical possibilities of data-rollback, -deletion (incl. backups), and -retention in case of contract termination? 

Data-rollback: Yes.

Data-Deletion: Depends on hosting choice. Available through cloud provider’s service offering. 

Data-retention: Depends on hosting choice. Available through cloud provider’s service offering. 

On the website I see the following sentence “User activity is continuously monitored and progress can be tracked.” How do you ensure GDPR compliancy?

We are GDPR compliant, we collect no personal data besides the email address, we stated this in our wiki and at the top but here is an excerpt:

DataLawful basisHow is consent collected?Can consent be revoked?Individual rights
E-Mail address

We need an identifier for a user to ensure he is part of the domain that our client uses. We use the working e-mail address of employees to onboard them into the clients gravity configuration.

The client (e.g. Company XY which is employer of user) gives consent for all its users.

No, the client gives consent for the user.

Right of access
Impossible, it can not be accessed it is only an identifier.

Right to be informed
Possible but useless since no relational personal information is collected. The user does most certainly know his e-mail address already.

Right of erasure
Done by deleting the user in the backend, all related information will be discarded within milliseconds after the request (except audit logs which will be kept for "per client" defined time.

Right of rectification
See to the left

Right to object
support@gravity.global

Right to restrict processing
There is no processing.

Right not to be subject to automated decision-making
There is no automated decision-making.

Right to data portability
There is no personal data besides the e-mail address...

For our portfolio I need a detailed explanation of your product, is there one?

Yes, check it at GRAVITY overview.

What JavaScript files will you place on my application server?

None. Check our GRAVITY overview to understand how GRAVITY works. If you chose the hosting option On Premise there will be JavaScript files inside your data center but 99.99999% not on the same server as your application.

How do you assure that none of our production data gets extracted by your code or your employees?

Employees: This is guaranteed on contract level between you (the customer) and Gravity Global AG.

Code: Our code is peer reviewed (and pentested by Info Guard) and can be inspected in your browser for maximum transparency. We also ensure with our backend that no XSS, CORS, SQL Injection or similar is possible.

What data does the browser plugin store?

Detailed plugin descriptions are available at: Browser Extensions
There are only two things stored within the plugins local storage: A TTL and an URL.

Where will the data be stored and for how long? Cloud? On the server?

See aforementioned answer. Data are stored on the plugins local storage as long as the TTL hasn't expired.

Who has access to the browser plugin data?

The plugin itself can access TTL and URL on every page change until the TTL has expired. Afterwards it refreshes/updates the URL on the backend.

Where will this plugin be installed? On the server or on the user device?

The plugin will only be installed on the clients and not on the server.
Detailed plugin descriptions are available at: Browser Extensions

What kind of application controls such as e.g. logging mechanism, data quality check, error messages are implemented to ensure completeness, integrity, accuracy and authorization of data?

The GRAVITY-Web-App provides a server log and an audit trail regarding all actions who are database/user content driven. These logs can be reviewed by the admin user of GRAVITY. From a front-end perspective, we don’t do any completeness checks. But we make sure that only authorized users/tokens can read/write against the GRAVITY-Web-App-API. Also, the GRAVITY-Web-App makes sure that certain data are cleansed before stored (the data cleansing mainly takes places to remove empty spaces at the end of forms and or in URLs). The communication between the GRAVITY-Web-App and the database is based on standard protocols and languages (the transport security is managed by the hosting provider).

Can we use our own certificate authority to digitally sign emails and other communications?

Yes. In on-premise environments sometimes private CA are used. GRAVITY has a mechanic to import private certificates in deployed .jar-files and docker containers. (More information)

SaaS: What Web Application Firewall (WAF) is used?

Yes. OpsOne uses ModSecurity to additional protection against application level attacks such as cross site-scripting and SQL injections. By default, the core rules set will be loaded, and will block common vulnerabilities and zero day attacks by adding some more global rules. But Gravity Global AG will configure additional settings in accordance of the GRAVITY configuration and the customers requests.

Are Vulnerabilities Scans applied to the builds?

Yes. When we build our software we scan the built containers with Harbour. The containers are scanned with the Library Trivy.

What are your partners regarding the hosting infrastructure?

Regarding hosting infrastructure, we work with OpsOne AG in Zurich. OpsOne manages the Kubernetes infrastructure, storage, and backup for us. The hardware is housed within NTT’s Zurich 1 Data Center and the backup location DATAROCK in Nottwil (LU). For European hosting the hardware is housed in the NTT Rechenzentrum Frankfurt 1, with backuplocation in  Data Center Park Nürnberg. 

OpsOne AG is ISO/IEC-27001:2013 certified and member of "Swiss Hosting".