CERBY'S

Security

Compliance standardssoc2logo 1

Cerby complies with third-party industry standards on security controls and customer data protection:

  • SOC 2 Type II attested
  • ISO 27001 (expected completion in Q1 2024)


Data encryption

Cerby protects customer data against unauthorized access:

  • Data at rest encryption with symmetric keys in AWS KMS using the 256-bit AES-GCM authenticated encryption
  • Data in motion encryption with certificates issued by ACM using the TLS 1.2 cryptographic protocol and the HSTS policy enabled
  • Identity certificate pinning for the Cerby mobile apps in iOS and Android
  • Protection for the lifecycle of encryption keys


Secrets management

Cerby implements security measures to protect customer secrets:

  • Cloud-based encryption system
  • Password generation based on a random entropy source and NIST 800-63B compliant
  • Password ephemerality through automation

 

Security testing

Cerby tests its platform to identify potential vulnerabilities and maintain the security and integrity of your data: 

  • Bi-annual, wide-scope penetration testing
  • Monthly, module-specific penetration testing
  • Bug bounty program


System design

Cerby designed its platform to protect the privacy and security of your data and ensure data availability:

  • Customer data logically segregated
  • Cerby platform and architecture hosted on the AWS cloud
  • Production environment customer data and encryption keys not accessible to Cerby employees
  • Alternate data hosting options and regions available to satisfy country-specific compliance programs

 

 

Coding best practices

Cerby follows development best practices to ensure high-quality code, avoid vulnerabilities, and protect your data:

  • Infrastructure managed as code
  • Regular AWS configuration scanning
  • Automated SDLC process and QA validation
  • Hardware-based keys are required for every release
  • Multiple code reviews for all commits and code changes
  • SCA scans on the code and dependencies as part of the CI/CD pipeline and following DevSecOps principles


Service reliability

Cerby leverages a cloud infrastructure to improve reliability and follows best practices in incident management:

  • Multi-region and multi-availability zones cloud infrastructure for reliability, resilience, and fault tolerance
  • Disaster recovery plan implemented as part of the SOC 2 Type II attestation and forthcoming ISO 27001 certification anticipated in H2 2023.
  • On-call service dedicated to triage incidents

 

 

Observability and monitoring

Cerby continuously monitors critical information of its platform and infrastructure to take prompt action: 

  • Account usage and user activity logs available to customers
  • Alerting, monitoring, and logging tools for critical events and operational metrics
  • Infrastructure and system performance monitoring
  • Identity and access policies monitoring


Corporate security

Cerby employees and assets comply with corporate security policies:

  • Regular security awareness training
  • Disk encryption
  • Native Google Workspace for collaboration
  • SSO authentication and 2FA with IdP access to the Cerby platform and systems
  • Endpoint management using industry-leading tools