Security
Our white paper about security at Algoreg
Our products have been securely developed following our SPLC (Secure Project Life Cycle) program, using state-of-the-art security technics and latest technologies.
Software and access control
Only authenticated users can read and edit contents created in our products, the access level is defined by clear RBAC roles defined in Users management.
Non-authenticated users can only push data to the system in the context of Go!Vid sessions only.
Any uploaded document (in the context of Go!Vid or elsewhere) is tested against virus with a daily updated anti-virus. Of course we still recommend you to not open suspicious documents that were uploaded to Algoreg.
Data encryption
Communication to the Algoreg products is done using HTTP Strict Transport Security (HSTS) and support TLS 1.3 protocol. All internal communications with middlewares such as databases are using TLS as well. Databases and documents are encrypted at REST at any time.
Infrastructure
Our infrastructure SaaS (Software as a Service) is deployed using Algoreg cloud provider based in Europe : AWS (Amazon Web Services).
Data is encrypted at rest and in transit for external and internal communication. Each environment has dedicated VPC and every Algoreg service has restricted network access to its exact needs.
Algoreg technical team and programmatic users have traceable and scoped access to the infrastructure at any time.
Data lifecycle, traceability and GDPR
All data generated at Algoreg are stored and versioned to ensure that we can explain any action or result happening in our products. We never delete any data stored in our databases.
There are few exceptions to this rule:
- Files uploaded to our customer document manager can be deleted, we keep who deleted the file and when it was deleted but the content of the file itself is deleted forever. The same happens if a file content is changed, in which case the previous content is lost.
- As we are compliant with the GDPR regulation, we can define with you some rules to remove personal data of Go!Vid session after a defined amount of time. We then only keep the score and the session related Enhanced Due Diligence (EDD).
Backups
We generate a full backup of our database on a daily basis, on redundant, encrypted and access controlled storage. We keep our backups for 2 days in case of major outage for quick recovery.
We defined and tested a procedure allowing us in case of major outage to get the system entirely back in 48h and partially back in 24h.
Vulnerability management and contact
We use patch alerting systems to monitor our external dependencies and identify any potential vulnerabilities. This helps us stay up-to-date and protect our systems from potential security risks.
If you see a potential vulnerability risk in our systems, do not hesitate to contact us. If you would like to encrypt your message, we provide a PGP key below with which to do that. Please contact us if you would like to be invited to our HackerOne bug bounty program.
PGP encryption
When sending a file to our systems (for instance to initiate your customer database) or when communicating with us, you can use either:
- A client-specific public PGP key you need to ask us for
- The following public PGP encryption key