Security
      Back to home
      1. Help Center
      2. Security

      Information Security Controls

      This security overview provides a high-level overview of the security practices put in place to achieve that objective

       

      Go straight to: 

      Keeping our customers' data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at security@web1on1.chat

      Web1on1 implements administrative, technical and physical controls over systems and data to protect their confidentiality, integrity and availability. Controls are implemented in accordance with industry and security best practices to address the appropriate level of risk. Below is a summary highlighting Web1on1’s implemented information security controls over its entire infrastructure. 

      Administrative controls

      Security Management

      Peter de Vos (CTO) ) is responsible for information security ensuring confidentiality, integrity and availability of systems and data (hereafter: Security Controls)

      • All parties working with or for Web1on1 that process personal data subject to the Data Processing Agreement are required to maintain adequate Security Controls.

      Human Resources

      • Employees/contractors acknowledge responsibility for security;

      • Employees have knowledge of security policies;

      • Employees pledge compliance with acceptable use both at hire and annually;

      • A security awareness program provides instruction on security and privacy practices.

      Policy and Standards, User Awareness

      • Security policy and standards are developed and maintained;  

      • Security policies are reviewed annually and updated as needed or required;  

      • Security policies have been devised on the following subjects: 

        • Acceptable use Policy

        • Information Classification Policy

        • Clean Desk Policy

        • Password Construction Policy

        • Password Protection Policy

        • Data Breach Policy

        • International Travel policy

        • Physical Access & Control Policy

      • Security Policies have been communicated to stakeholders;

      • Policies and procedures are in place to identify the need to assess the risk, and address use and management of emerging or disruptive technologies.

      Risk Assessment and Audits

      • Annual security risk assessment is performed to identify and prioritize threats and vulnerabilities; 

      • Data are classified in accordance with risk assessment;

      • Risk assessment of the use of new technologies or high-risk data processing activities is conducted before implementation of such technologies/ high risk data processing; 

      • Periodic compliance reviews are performed via internal audit annually;

      • Contractual compliance security audits are conducted with partners and suppliers.

      Incident Management

      • Security incident management program is implemented and integrated with overall emergency and problem management processes;

      • Data Breach policy is in place;

      • Data Breach register is in place.

      Contact with Authorities

      • In the event of a data breach which requires notification with the authorities;

      • In the event authorities request proof of compliance with applicable privacy law and regulation or demand access to Web1on1 data.

      Technical and Operational Controls

      Access

      • Proper authentication is required to access systems and data, on-site and off-site;

      • All systems containing Protected Data are only accessible through two-factor authentication and or single sign-on;

      • Authentication is issued subject to data classification and on a need-to-access basis; 

      • Authentication is issued subject to security and confidentiality undertakings;

      • Individuals are assigned unique user ids and require passwords and two-factor authentication to access applications;

      • Access logs are maintained;

      • Upon termination of employment or assignment, employees and contractors are removed immediately from access to any company services and all company-issued property is collected.

      Data Transmission

      • Appropriate data controls (access, use, destruction, etc) are implemented based on Web1on1’s data classification;

      • Secure protocols are required when appropriate;

      • IPS/IDS and firewalls are implemented to secure corporate network;

      • Use of public networks to transfer personal data is not allowed.

      Data Processing Integrity

      • Incident response, change control and problem management procedures are implemented to ensure processing integrity;

      • High availability architecture and backups are utilized and maintained for critical systems.

      Monitoring

      • Network monitoring is outsourced to a managed services provider;

      • Audit logs are maintained and reviewed for critical systems;

      • Periodic vulnerability scans and source code scans are performed by Qualis;

      • Annual penetration testing is outsourced.

      Backup

      • Backup facilities for back-up copies for contingency and disaster recovery.

      Third party risk assessment

      • Periodic vulnerability scans regarding third party services and assets. 

      Physical Controls

      Web1on1 Facility Access

      • All visitors are registered;

      • Periodic access reviews performed;

      • Workplaces have secure storage locations and policies regarding end of day individual security responsibilities.

      Data Center

      • Web1on1 data centers are outsourced; no Web1on1 personnel can access data centers.

      Equipment

      • Scheduled review and maintenance of equipment and structures is performed;

      • Issuance and configuration of user systems is standardized and centrally managed;

      • Secure equipment disposal and transfer processes are implemented.

      Infrastructure

      Cloud infrastructure

      All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Google Cloud Platform. They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here: Google Cloud Platform

      We use Google data centers in the The Netherlands and Belgium.

      Network level security monitoring and protection

      Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

      • A firewall that monitors and controls incoming and outgoing network traffic;

      • An intrusion detection and/or prevention technologies (IDS/IPS) solution that monitors and blocks potential malicious packets;

      • IP address filtering.

      DDoS protection

      We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

      Data encryption

      Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best practices using Transport Layer Security (TLS). You can see our SSLLabs report here. Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.

      Data retention and removal

      We retain your usage data for a period of 90 days after your trial, or 30 days after archiving an organization. All data is then completely removed from the servers and databases.

      By default, conversation messages, results, reports and associated metadata older than 18 months are automatically and permanently deleted.  Personal information contained in contact forms is also deleted unless the visitor has re-engaged in a conversation in the meantime, although their older messages will be deleted.

      Alternatively, we allow you to set you own data retention period upon request.

      Every user can request the removal of usage data by contacting support. Read more about our privacy settings at Web1on1 - Privacy policy.

      Business continuity and disaster recovery

      We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

      Application security monitoring

      • We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach;

      • We use technologies to monitor exceptions, logs and detect anomalies in our applications;

      • We collect and store logs to provide an audit trail of our applications activity;

      • We use monitoring such as open tracing in our microservices;

      • We use telemetry in our client-side applications to monitor and improve performance.

      Application security protection

      • We use security automation capabilities that automatically detect and respond to threats targeting our apps;

      • We follow security best practices and frameworks (OWASP Top 10, SANS Top 25) when developing technical solutions.

      Responsible disclosure

      We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program.

      Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

      You can report vulnerabilities by contacting security@web1on1.chat. Please include a proof of concept. We will respond as quickly as possible to your submission.

      Coverage

      • *.web1on1.chat

      Exclusions

      • https://developers.web1on1.chat/webwidget

      • https://status.web1on1.chat/

      Accepted vulnerabilities are the following:

      • Cross-Site Scripting (XSS)

      • Open redirect

      • Cross-site Request Forgery (CSRF)

      • Command/File/URL inclusion

      • Authentication issues

      • Code execution

      • Code or database injections

      This bug bounty program does NOT include:

      • Logout CSRF

      • Account/email enumerations

      • Denial of Service (DoS)

      • Attacks that could harm the reliability/integrity of our business

      • Spam attacks

      • Clickjacking on pages without authentication and/or sensitive state changes

      • Mixed content warnings

      • Lack of DNSSEC

      • Content spoofing / text injection

      • Timing attacks

      • Social engineering

      • Phishing

      • Insecure cookies for non-sensitive cookies or 3rd party cookies

      • Vulnerabilities requiring exceedingly unlikely user interaction

      • Exploits that require physical access to a user's machine

      User protection

      Account takeover protection

      We protect our users against data breaches by monitoring and blocking brute force attacks.

      Single sign-on

      Single sign-on (SSO) is available using your Google account. Other identity providers are supported as an add-on for our enterprise customers.

      Role-based access control

      Role-based access control (RBAC) is offered on all our accounts and allows our users to assign roles and permissions.

      Compliance

      GDPR

      We’re compliant to the EU General Data Protection Regulation (EU GDPR) and the UK GDPR. The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Read more about our compliance with GDPR.

      Payment information

      All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.