HOW DO WE KEEP YOUR DATA SECURE?
An overview of data security and related measures implemented at Vizzlo
Last updated: 2019-10-22
The privacy of our customers and the security of any documents you create using our tools are of utmost priority to us. From the technology used to encrypt our network connections, to our operations procedures, the engineering processes and tools, or the way we share information with employees and external services: everything we do, we constantly monitor and improve our processes from a security standpoint.
This document highlights the different layers of protection we work on as part of Vizzlo’s architecture to ensure your data stays yours.
Where Is Your Data Stored?
Depending on how you are using Vizzlo, there are multiple options for where you can store your visualization data:
If you are using the Vizzlo web application (vizzlo.com) to create your charts and business graphics, the visualizations and underlying data is stored in Vizzlo’s cloud storage system by default. If you are using the Vizzlo desktop applications for Mac or Windows, access to the Vizzlo cloud is optional.
All the security measures listed in this document apply to all data related to the Vizzlo cloud.
Third-Party Cloud Storage Integrations
Alternatively to using Vizzlo’s cloud for document storage, the Vizzlo web application allows you to connect to third-party cloud storage providers like Box, Dropbox, Google Drive, and Microsoft OneDrive. When using any of these storage providers in conjunction with the Vizzlo web application, all the data related to the documents you create are stored on the third-party’s system and only ever transmitted to Vizzlo’s systems when needed (i.e. when you are editing the document with the Vizzlo web application, or when generating a thumbnail for a folder overview).
If you are using the Vizzlo desktop application for Windows or Mac, newly created documents are stored locally on your machine by default. When using the desktop application and working with Vizzlo files (.vzl), your data will never be transmitted to Vizzlo’s cloud systems at all.
Vizzlo for Windows’ PowerPoint Integration
Vizzlo Desktop for Windows integrates tightly with Microsoft PowerPoint. When using Vizzlo charts on PowerPoint slides, the visualization and underlying data is only stored within the PowerPoint presentation file.
Physical and Environmental Security
All your data is stored in highly secure data centers in Europe, run by Amazon Web Services (AWS). Data center access is limited to a few selected technicians and not even possible for Vizzlo staff. AWS’ data centers are equipped with state-of-the-art fire suppression, power and climate controls.
The physical data center security is audited by EY (see AWS SOC3 Report). Furthermore, AWS is, among others, certified and/or compliant to the following certifications, programs and attestations: CJIS, DoD SRG Levels 2 and 4, ISO 9001, ISO 27001, ISO 27018.
For more information regarding the security measures Amazon takes, please consult the AWS security center at https://aws.amazon.com/security/
Vizzlo’s architecture is based on AWS’ world-class network infrastructure that is carefully monitored and managed. Among others, the AWS network implements the following security features:
- Segregated and monitored network infrastructure that prevents unauthorized access from penetrated systems
- Firewalls for security monitoring on all external boundaries and major internal boundaries within the network
- FIPS 140-2 compliant secure access points
- State-of-the-art man-in-the middle detection systems
A certified DDos mitigation system is used to ensure that your data stays accessible to you under all circumstances.
All core components are deployed in a load-balancing failover configuration. In case of failure, automated processes move your data away from the affected systems.
The network security-level certificates applicable here are: Cyber Essentials ‘Plus’ badge, FIPS 140-2, ISO 9001+27001+27018, MTCS Tier 3.
Vizzlo’s systems utilize highly customized versions of the XEN and KVM hypervisors, enabling paravirtualization for Linux hosts. Paravirtualization enables strict instance isolation and provides a higher security separation between instances on the same hardware. A firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface, providing maximum protection against attacks from inside the network.
As hypervisor guest systems, patched and hardened versions of the Linux operating system are used for the application, web, and database servers. Administrative access to these systems is only possible using public key authentication. All outside communication of these systems, as well as internal communication between those systems, is encrypted using transport-level security at all times.
At Vizzlo, we do a regular evaluation of our application against the most critical web application security risks, a list that is published and kept up-to-date by the Open Web Application Security Project (OWASP) Foundation. The current list of measures contains protection against: Code/SQL Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE) attacks, Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring.
Document Visibility and Access Control
Being a SaaS product, Vizzlo’s cloud environment is a multi-tenant solution with all customers sharing the same application, web, database, and storage server instances on the same physical infrastructure.
Access to all user data is safeguarded by the use of an access control list (ACL) implementation as part of the application server layer. Like the rest of the product, this software component is part of the regular evaluation against the OWASP security risks and is continuously tested for regressions using unit tests, integration tests, and end-to-end tests.
Per default, all documents and folders created by our paying users are visible to their owner alone. Granting rights to view, modify, delete, or even discover (knowing a document exists at a specific URL) documents to other users is only possible by the original owner of that document or folder.
Data Security and Backups
Vizzlo makes use of the following Relational Database Service features to ensure data security at all costs: Multi-AZ hosting is used for the application, web, and database layers to protect against complete data center outages. Vizzlo database instances are automatically software patched by RDS and isolated against other database instances using the same purposes described above.
Automatic database snapshots are taken and stored securely in AWS’ block storage system for a maximum of seven days to allow for rolling back in case of software or configuration errors. Access to these backups is restricted to Vizzlo management only.
A comprehensive audit log (login/access/update events) is stored externally from our services for 90 days to provide detailed access information for data theft or sabotage investigations.
All data exchanged with Vizzlo is always transmitted over TLS using only state-of-the-art, secure SSL encryption ciphers. This is also true for the communication between different machines inside our network. Vizzlo makes use of HTTP Strict Transport Security to protect against protocol downgrade and cookie hijacking attacks. Our software takes active measures against known web application vulnerabilities, like cross-site scripting and cross-site request forgery.
No Vizzlo employee will ever access your data unless required for support reasons. Support staff does not have the ability to sign into your account, edit your documents, or even view your documents if they are marked as private.
Passwords are one-way encrypted in the database using the ‘bcrypt’ algorithm, which is the state-of-the-art protection against brute force attacks or attack with rainbow tables. Login credentials are, like all communication with our systems, always sent over encrypted connections. No passwords are ever logged on our systems.
Credit Card Security
Your full credit card information is never seen by, nor stored on, Vizzlo’s systems at any time. Only our billing & invoicing service, as well as the selected payment processing gateway, will ever be able to see and store your cardholder data to make recurring transactions. To protect our customers’ data, we only work with partners that have been audited by a PCI-certified auditor and are certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To learn more about the PCI compliance of our partners, please see: https://www.chargebee.com/security/ and https://stripe.com/docs/security/stripe
Do you have questions or comments about Vizzlo security? Please get in touch with your representative or reach out to our support team at https://vizzlo.com/feedback