CERBY'S
Security
Compliance standards
Cerby complies with third-party industry standards on security controls and customer data protection:
- SOC 2 Type II attested
- ISO 27001 (expected completion in H2 2023)
Data encryption
Cerby protects customer data against unauthorized access:
- Data at rest encryption with symmetric keys in AWS KMS using the 256-bit AES-GCM authenticated encryption
- Data in motion encryption with certificates issued by ACM using the TLS 1.2 cryptographic protocol and the HSTS policy enabled
- Identity certificate pinning for the Cerby mobile apps in iOS and Android
- Protection for the lifecycle of encryption keys
Secrets management
Cerby implements security measures to protect customer secrets:
- Cloud-based encryption system
- Password generation based on a random entropy source and NIST 800-63B compliant
- Password ephemerality through automation
Security testing
Cerby tests its platform to identify potential vulnerabilities and maintain the security and integrity of your data:
- Bi-annual, wide-scope penetration testing
- Monthly, module-specific penetration testing
- Bug bounty program
System design
Cerby designed its platform to protect the privacy and security of your data and ensure data availability:
- Customer data logically segregated
- Cerby platform and architecture hosted on the AWS cloud
- Production environment customer data and encryption keys not accessible to Cerby employees
- Alternate data hosting options and regions available to satisfy country-specific compliance programs
Coding best practices
Cerby follows development best practices to ensure high-quality code, avoid vulnerabilities, and protect your data:
- Infrastructure managed as code
- Regular AWS configuration scanning
- Automated SDLC process and QA validation
- Hardware-based keys are required for every release
- Multiple code reviews for all commits and code changes
- SCA scans on the code and dependencies as part of the CI/CD pipeline and following DevSecOps principles
Service reliability
Cerby leverages a cloud infrastructure to improve reliability and follows best practices in incident management:
- Multi-region and multi-availability zones cloud infrastructure for reliability, resilience, and fault tolerance
- Disaster recovery plan implemented as part of the SOC 2 Type II attestation and forthcoming ISO 27001 certification anticipated in H2 2023.
- On-call service dedicated to triage incidents
Observability and monitoring
Cerby continuously monitors critical information of its platform and infrastructure to take prompt action:
- Account usage and user activity logs available to customers
- Alerting, monitoring, and logging tools for critical events and operational metrics
- Infrastructure and system performance monitoring
- Identity and access policies monitoring
Corporate security
Cerby employees and assets comply with corporate security policies:
- Regular security awareness training
- Disk encryption
- Native Google Workspace for collaboration
- SSO authentication and 2FA with IdP access to the Cerby platform and systems
- Endpoint management using industry-leading tools