Security

Security culture

In Webdox, we are aware of how sensitive the information we process is. Therefore, we make sure our Security Map is more and more strict every year by having external audits conducted by prestigious entities in the market implementing new standards and protection control so that your experience with Webdox is as reliable as possible.

  • Webdox is ISO 27001 certified by A-LIGN.
  • Since 2019 we have an Information Security Management System defined by ISO 27001 for technological and operational systems and processes.
  • Each member of Webdox receives security training and follows confidentiality contracts, following the security policies required to perform their functions.

Compliance

Compliance with different regulations of each area and country has guided us to provide a customized service regarding companies technical and legal requirements. Webdox has implemented a Privacy Policy that details how we process your personal data. We also measure its impact in our risk assessment. We report it to all our clients to inform them of the status of their sensitive data.

  • Webdox aims to be certified in 2021 under the ISO 27701 standard (Privacy and Protection of Personal Data) and ISO 27018 (security controls for processing personal data from the cloud).
  • Through this, Webdox seeks to comply with the current regulations of each country, corresponding to Privacy and Protection of Personal Data, such as the GDPR (General Data Protection Regulation) in Europe and the LGPD (General Law of Protection of Personal Data) in Brazil.

Robust Architecture

Effective solutions are backed by a great strategic partner. Google Cloud Platform, jointly with other prestigious partners, provides us with all the security functionalities required by the market.

  • Webdox is a Google Cloud Partner. Infrastructure and security are a legacy from Google services with high availability in all layers.
  • Cloudflare, Gitlab, and HackerOne are some of the services we use to create and improve Webdox.
  • Systems designed for a service level objective (SLO) of 99.99% and service level agreements (SLAs) are tailored, generally at 99.5%.
  • Backups run every 24 hours with 30-day retention, and failover replicas are activated, improving High Availability.
  • Disaster Recovery Planning (DRP) with RTO (Recovery Time Objective) of 1 hour and RPO (Recovery Point Objective) of up to 24 hours.
  • All metadata at rest is encrypted using AES 256.
  • All metadata in transit is encrypted using TLS 1.2 or 1.3.
  • Webdox has tools for monitoring and generating alarms in the event of anomalous events.

Secure Development

Webdox has a series of security features that can be integrated with your technological infrastructure at the application level. If technical support is required, we have a team of specialists who will reply to your questions. Today we rely on the good practices provided by OWASP (Top Ten) to deal with the most recurring risks, and we also work directly with ethical hackers aiming for the continuous improvement of the application.

  • User session parameter configuration Idle time, session duration, password format.
  • Perimeter access management is configured based on where it can and cannot be accessed via IP addresses.
  • Mechanisms of Single Sign-On through SAML V2.
  • OAUTH integration through API and APP provides robustness in the integrations that may be generated.
  • A second factor of authentication.
  • Access and permissions are controlled by roles assigned to users.
  • Audit logs with all actions generated by users.
  • DevSecOps throughout the development cycle.
  • Identification of each internal process (UUID), thus enabling better functioning and auditing of the platform.

Monitoring and Deployment

Webdox periodically consults with external entities specialized in Cybersecurity, Ethical Hacking, and Pentest tests to analyze any new vulnerability that may have been detected on the product.

Additionally, the Technology and Security team carries out Disaster Recovery Planning (DRP) tests for its critical systems. This, together with the internal and external audits scheduled during the year, feed our continuous improvement process at the operations and product level.

Also, our Technology and Security team annually plans backup recovery tests to ensure operational continuity times. This is complemented with the Disaster Recovery Planning (DRP) for each critical system, which, jointly with the internal and external audits scheduled during the year, feed our continuous improvement both at Webdox's process and product level.