Security Q&A
Table of contents
We are constantly confronted with the same security, protection and safety questions. The Q&A below addresses all the cases we heard.
Please note, beforehand:
Production data
GRAVITY interacts with the HTML Tags in your applications DOM Tree. It never programmatically accesses any of the data below.
We guarantee by contract that the data we see is never accessed by our code. You may verify this on your own by inspecting our JavaScript code in your browser. This means, we never work with any of your business-critical data. The questions and answers below talk about GRAVITY content (data): thereby we mean content a content owner created and not your business-critical assets as we do not see or work with them.
On Premise
If you decided to host our backend On Premise. Naturally, physical protection, firewall configurations, server security and all other On Premise installations are out of our hands. We are happy to help you but can not guarantee the safety of your server in your data center.
How do you manage Security and Privacy in general?
Security and Privacy is a ‘major topic’ for Gravity Global AG. Mainly because we are selling our products to Banks and Infrastructure Companies and have to pass their Security Review. Therefore, we code to be compliant with the EU’s GDPR guideline and take great care of the vulnerability of the web app’s API as well the scripts we run on the client’s browsers.
Security is part of our ISO 29119 based Software Testing Standard. All testing protocols, for the installed versions of GRAVITY, can be request for internal review by any customer.
Your name, personal data and tracking, what is tracked?
The only data GRAVITY collects about a user is his email address and his learning progress. No other personal data is collected (not even a name or a number [of course the email may contain the name or parts of it]). Keep in mind that Gravity is an additional layer and therefore has no access to production data itself.
Do employees of Gravity Global AG have access to hosted customer data – like User IDs, audit trails and server logs.
Hosted GRAVITY instances are single tenant installations, running on isolated K8s containers. Access to any data is possible through the admin interface. The access configuration to the admin site is configured as part of the setup process. Normally Gravity Global AG employees have a dedicated admin user during the initial setup and configuration process. After that period, such admin user’s gets deleted, and the customers admin access accounts will be protected by a second factor. After that, absolutely no data can be seen or decoded by anyone expect the customer itself.
Where is my GRAVITY content (data) stored and is it in my control?
This depends on your hosting type:
| Variant | Residency (all envs) | Company control over location |
|---|---|---|
| On Premise | The customer company | Yes |
| Microsoft Azure | By Choice, but EU | No |
| OpsOne | Switzerland | No! Within Swiss boundaries. |
Do I keep ownership over the GRAVITY content I enter (data)?
This depends on your hosting type:
On premise yes, in Swisscom Application Cloud too. OpsOne, Yes. Azure subject to research.
Are you guys certified for any of the following: IT security management, maintained information security, data privacy compliance, or service organization and IT operations?
Gravity Global AG has not yet such certification.
Are there any security policies or security white-papers (to understand the implemented security safeguards frameworks and controls) available?
The infrastructure we currently use is protected by OpsOne (App Security scanner - but it also depends on your hosting type). As written on top, when hosting the application yourself On Premise you are responsible for a great part of security yourself.
The application itself uses HTTPS, Hash-Salted Passwords and HTTP-Only-Cookies to ensure authentication and authorisation.
Users can be expelled anytime.
How is the GRAVITY content (data) protected (encrypted) in-transit and at-rest, incl. data backup?
Transit: HTTPS is used for transit and only hashed passwords are transmitted. Authenticated users are identified by a HTTP-Only-Cookie.
Rest: In our case OpsOne encrypts the data and keeps it safe (Linux Unified Key Setup ( LUKS)). On premise: the data safety cannot be guaranteed by Gravity Global AG or its cloud providers.
Can anyone on the internet query my backend to get my URL structure?
No, the URLs are SHA-256 hashed and never seen plain text.
Do you work a secure software development life cycle and implement secure coding standards/practices, security audit and code reviews before application/software is released to production?
Dependencies (with some exceptions in the inject script where we use a fork of jQuery) are kept up to date firstly by the development team and secondly by Maven and our CI pipeline. As Software Testing Standard we use ISO 29119. On all major releases, we let a Swiss Security Company conduct penetrations tests against our services and code. The latest penetrations tests reports will be sent to any interested parties, after having the appropriate NDA in place.
Is there a user access management (incl. user enrolment, user password management, privilege management, secure storage of user credentials, etc.) available?
Yes. Depending on your chosen level of integration, passwords are stored SHA-256 hashed and salted in the GRAVITY Database (depending again on question 1 where this will be). You can manage all of that in the admin backend we also provide.
Please note that if we would build your SSO, the password/token setup needs to be engineered.
Can I use my own companies authentication provider (IdP) utilising SAML for seamless SSO?
Resources to build are available at customer’s costs (since the solution is proprietary and not yet supported by GRAVITY).
Do you guys offer any business continuity and disaster recovery management (certifications)?
Available through cloud provider’s service offering.
What SLA's are available (data/service reliability SLA - availability, RTO, RPO)?
Depends on hosting choice. On Premise you are responsible for your servers. Different cloud providers offers SLA’s for partners and customers which we would acquire on the customers behalf (paid by the customer). Microsoft Azure has different subscriptions which can be chosen from. Since GRAVITY is not business critical and does not interfere with daily business, cheaper plans are advised.
Do you outsource any of IT or IT security functions to third-party service provider?
No.
Is there technical possibilities of data-rollback, -deletion (incl. backups), and -retention in case of contract termination?
Data-rollback: Yes.
Data-Deletion: Depends on hosting choice. Available through cloud provider’s service offering.
Data-retention: Depends on hosting choice. Available through cloud provider’s service offering.
On the website I see the following sentence “User activity is continuously monitored and progress can be tracked.” How do ensure GDPR compliancy?
We are GDPR compliant, we collect no personal data besides the email address, we stated this in our wiki and at the top but here is an excerpt:
| Data | Lawful basis | How is consent collected? | Can consent be revoked? | Individual rights |
|---|---|---|---|---|
| E-Mail address | We need an identifier for a user to ensure he is part of the domain that our client uses. We use the working e-mail address of employees to onboard them into the clients gravity configuration. | The client (e.g. Company XY which is employer of user) gives consent for all its users. | No, the client gives consent for the user. | Right of access Right to be informed Right of erasure Right of rectification Right to object Right not to be subject to automated decision-making Right to data portability |
For our portfolio I need a detailed explanation of your product, is there one?
Yes, check it at Gravity overview.
What JavaScript files will you place on my application server?
None. Check our Gravity overview to understand how GRAVITY works. If you chose the hosting option On Premise there will be JavaScript files inside your data center but 99.99999% not on the same server as your application.
How do you assure that none of our production data gets extracted by your code or your employees?
Employees: This is guaranteed on contract level between you (the customer) and Gravity Global AG.
Code: Our code is peer reviewed (and pentested by Info Guard) and can be inspected in your browser for maximum transparency. We also ensure with our backend that no XSS, CORS, SQL Injection or similar is possible.
What data does the browser plugin store?
Detailed plugin descriptions are available at: Plugin Version 2.x
There are only two things stored within the plugins local storage: A TTL and an URL.
Where will the data be stored and for how long? Cloud? On the server?
See aforementioned answer. Data are stored on the plugins local storage as long as the TTL hasn't expired.
Who has access to the browser plugin data?
The plugin itself can access TTL and URL on every page change until the TTL has expired. Afterwards it refreshes/updates the URL on the backend.
Where will this plugin be installed? On the server or on the user device?
The plugin will only be installed on the clients and not on the server.
Detailed plugin descriptions are available at: Plugin Version 2.x
What kind of application controls such as e.g. logging mechanism, data quality check, error messages are implemented to ensure completeness, integrity, accuracy and authorization of data?
The GRAVITY-Web-App provides a server log and an audit trail regarding all actions who are database/user content driven. These logs can be reviewed by the admin user of GRAVITY. From a front-end perspective, we don’t do any completeness checks. But we make sure that only authorized users/tokens can read/write against the GRAVITY-Web-App-API. Also, the GRAVITY-Web-App makes sure that certain data are cleansed before stored (the data cleansing mainly takes places to remove empty spaces at the end of forms and or in URLs). The communication between the GRAVITY-Web-App and the database is based on standard protocols and languages (the transport security is managed by the hosting provider).
Can we use our own certificate authority to digitally sign emails and other communications?
Yes. In on-premise environments sometimes private CA are used. GRAVITY has a mechanic to import private certificates in deployed .jar-files and docker containers. (More information)
SaaS: What Web Application Firewall (WAF) is used?
Yes. OpsOne uses ModSecurity to additional protection against application level attacks such as cross site-scripting and SQL injections. By default, the core rules set will be loaded, and will block common vulnerabilities and zero day attacks by adding some more global rules. But Gravity Global AG will configure additional settings in accordance of the GRAVITY configuration and the customers requests.
Are Vulnerabilities Scans applied to the builds?
Yes. When we build our software we scan the built containers with Harbour. The containers are scanned with the Library Trivy.
What are your partners regarding the hosting infrastructure?
Regarding hosting infrastructure, we work with OpsOne AG in Zurich. OpsOne manages the Kubernetes infrastructure, storage, and backup for us. The hardware is housed within NTT’s Zurich 1 Data Center and the backup location DATAROCK in Nottwil (LU).