Auditflow.io is fully secure.

Your security and privacy are our top concern. Auditflow.io strives to keep your data secure across all our services

The safety and security of your data is our top priority. The following comprises a summary of our actions and policies intended to guarantee the safety of your data with Auditflow.io. Have questions or feedback? Reach out to us at security@auditflow.io

 

Reliable in every aspect

Auditflow.io uses Microsoft Azure to manage user data. All data is stored redundantly and automatically backed up. Our server architecture and network connectivity are fully redundant, meaning even if a hardware component fails, Auditflow.io stays accessible. We maintain more than 99,6% uptime, which guarantees service continuity and offers quality assurance.

 

Infrastructure

Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Microsoft Azure. Microsoft Azure provides strong security measures to protect our infrastructure and is compliant with most certifications. You can read more about their practices here.

Data center security

Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored. Microsoft understands the importance of protecting your data and is committed to helping secure the datacenters that contain your data. Microsoft has an entire division devoted to designing, building, and operating the physical facilities supporting Azure. This team is invested in maintaining state-of-the-art physical security.

Microsoft Azure runs in datacenters managed and operated by Microsoft. These geographically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The data centers are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity. 

Physical Security

Azure builds data centers in clusters in various countries around the world. Auditflow.io’s data (including backups) are solely stored in The Netherlands. Azure is fully compliant with all applicable EU Data Protection laws.

Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network to prevent unauthorized access using:

  • A firewall that monitors and controls incoming and outgoing network traffic.
  • An Intrusion Detection and/or Prevention (IDS/IPS) solution that monitors and blocks potential malicious packets.
  • IP address filtering
  • DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services.

Data Encryption

  • Encryption in Transit: All data sent to or from our infrastructure is encrypted in transit using industry best-practices visa Transport Layer Security (TLS). View our SSLLabs report here 
  • Encryption at Rest: All user data (including passwords) is encrypted using battle-proof encryption algorithms.

Data retention and removal

We retain usage data for a period of 120 days after customer trials. All data is then completely removed from the dashboard and server. Every user can request the removal of usage data at any time by contacting support. Read more about our privacy policy.

Application security monitoring

We utilize technology to protect the privacy of our users and our website: 

  • Security monitoring to ensure application security visibility, identify attacks, and respond quickly to potential data breaches 
  • Monitor exceptions, logs, and detect application anomalies 
  • Collect and store logs to provide an audit trail for application activity 
  • Utilize open tracing and other monitoring in our microservices

Application security protection

Auditflow.io utilizes security protection technologies and systems including: 

  • Runtime protection system to identify and block OWASP 10 and business logic attacks in real time 
  • Security headers to protect users from attacks 
  • Security automation capabilities to automatically detect and respond to threats targeting apps 

Data Privacy and Usage 

Auditflow.io maintains all data within EU borders. We only use customer data to provide requested services. Data is not sold, rented, or disclosed to third parties in any way. We don’t mine or access data for advertising purposes.

 

Data Ownership

Any data remains the property of the original provider. Auditflow.io does not delete data without providing notice and the opportunity to export. 

 

Business continuity and disaster recovery

Auditflow.io backs up all critical assets following a schedule with a maximum 24-hour RTO and RPO. Backups are regularly tested to ensure a fast recovery in case of disaster. All backups are encrypted. 

 

Protected connections

All connections to websites or services are protected via encrypted connections, such as the Secure Socket Layer (SSL) protocol. Auditflow.io uses SSL-encrypted connections as a default, or the same level of encryption used by financial institutions to secure online banking transactions. Encryption is used on both external and internal connections. This ensures sensitive information is never sent or received as readable text. Auditflow.io ensures a clear separation of data between customers. 

 

Secure development

Our developers work utilizing security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • Code is regularly reviewed for security vulnerabilities 
  • Dependencies are regularly updated to prevent known vulnerabilities 
  • Static Application Security Testing (SAST) is used to detect basic security vulnerabilities in our codebase 
  • Dynamic Application Security Testing (DAST) is used to scan our applications 
  • Third-party security experts perform application penetration tests on a quarterly basis 

 

Responsible disclosure

We encourage everyone to practice responsible disclosure. Our bug bounty program offers rewards at our discretion, depending on the criticality of the reported vulnerability. It is available to individuals who comply with our policies and terms of service. Please avoid automated testing. Only perform security testing with your own data. Please do not publicly disclose any information regarding the vulnerabilities until we fix them. 

Contact security@auditflow.io to report vulnerabilities. Please include a proof of concept. We will respond to your submissions as quickly as possible. We won’t take legal action if you follow the rules.

Coverage: 

  • *.auditflow.io
  • Exclusions
  • www.auditflow.io
  • Accepted vulnerabilities are the following:
  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections

This bug bounty program does NOT include:

  • Logout CSRF
  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC
  • Content spoofing / text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user’s machine

 

User protection

Account takeover protection – We monitor for breaches and actively block brute force attacks 

Role-Based Access Control –  Users can define roles and permissions on all our accounts for Role-based access control (RBAC)

 

 

Employee access

Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support.

Auditflow.io maintains a strict internal policy to prevent any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support. All employees sign a non-disclosure and confidentiality agreement when joining the company.