Política de Segurança

Chapter One: Introduction

1.1 Purpose

This Security Policy is established to protect user data, ensure system integrity, and prevent unauthorized access, thereby enhancing user confidence in our services. It serves to demonstrate our commitment to security and outlines the measures we implement to safeguard digital and physical assets against potential threats. Prioritizing data privacy and network security, this document details our protocols designed to uphold these standards.

1.2 Scope

This policy applies universally to all our operations involving digital project uploads and rendering services at our datacenters. It encompasses all datacenter operations and physical infrastructures where user data is handled, processed, or stored. The guidelines within this policy cover every aspect of security from data entry to final data deletion and are designed to ensure comprehensive protection across all platforms and interactions.

1.3 Responsibility

1.3.1 Security Teams and Staff Responsibilities

• Global Security Team: This team is tasked with monitoring for security breaches and potential threats. Their role is crucial in maintaining our high standards of security by providing timely warnings and actions against any detected vulnerabilities.
• IT Staff: Our IT personnel are rigorously trained and are key enforcers of this security policy. They are responsible for implementing and maintaining our security infrastructure and responding to security incidents.
• Data Handling Staff: A select group of trained employees has access to user data. These individuals are well-versed in our security protocols and adhere strictly to this policy to ensure the highest levels of data privacy and integrity.

1.3.2 Oversight and Compliance

• Security Oversight: Multiple internal and external parties are involved in overseeing our security operations. This includes the Head of Security at our datacenter and security staff stationed at physical locations.
• External Partners: The Digital Trust Center, a governmental body, collaborates with Global-E and other external agencies to oversee and ensure compliance with established security standards. Their involvement provides an additional layer of assurance and oversight, contributing to robust security governance.

1.4 Conclusion

By setting forth this Security Policy, we reaffirm our commitment to securing our clients' data and our systems. The collaborative effort between various teams and external partners underscores our holistic approach to security and compliance. This policy is a living document and will be reviewed and updated regularly to adapt to new security challenges and technological advancements.

Chapter Two: User Access Control

2.1 Authentication Methods

• Physical Access:
  • Access to the datacenter is restricted to authorized personnel using a multi-factor authentication process involving a digital key, biometric (fingerprint) scanning, and a PIN for machine rack access. This stringent process ensures that only authorized staff can enter and interact with critical infrastructure.

• Network Access:

  • Remote access to machines is safeguarded through a security password and an additional password on the master machine, ensuring that only designated personnel can control these systems remotely.

• Compliance and Security Checks:

  • All security systems are routinely checked and certified by the Dutch Data Center Association to meet the highest security standards, with regular audits conducted monthly.

2.2 Authorization Levels

• Access Privileges:
  • Access levels within the company are strictly defined based on the employee's role, ensuring individuals have only the necessary privileges to perform their duties. This is controlled through password protection and logical access controls to sensitive data and servers.

2.3 Account Management

• Control Over Accounts:
  • Only two high-level employees have the authority to create or delete accounts, providing tight control over access credentials.
  • An internal review and approval process is mandatory for all new account setups or modifications to existing accounts.

2.4 Access Review and Revocation

• Routine Checks:
  • User access rights are reviewed annually in conjunction with employee performance evaluations to ensure access levels remain appropriate.
  • Access is promptly revoked when no longer needed, or if a security risk is identified, to maintain a secure IT environment.

2.5 Remote Access

• Remote Work Capabilities:
  • Specific team members have remote access capabilities; developers can access the website's database hosted on Amazon AWS, and support staff can access the master computer in the datacenter.
  • All remote access is secured with two-factor authentication (2FA), providing an additional layer of security.

2.6 Monitoring and Logging

• Activity Logs:
  • Changes to the website and database are tracked using GIT, allowing comprehensive oversight of modifications by the Head Developer.
  • Remote access sessions to the master computer are logged through our remote access software, with logs maintained for three months to aid in audits and security reviews.

Conclusion

This chapter outlines our rigorous User Access Control protocols designed to safeguard against unauthorized access and ensure that personnel are granted only the access necessary for their role. Through regular audits, compliance checks, and continuous monitoring, we uphold the integrity of our security infrastructure and protect sensitive data and systems.

Chapter Three: Data Security

3.1 Data Encryption

• Protocols and Standards:
  • All user projects and associated data are encrypted using OpenSSL with AES-256 encryption and 2048-bit RSA data encryption standards. This applies to data both in transit and at rest, providing a robust shield against unauthorized access.
  • Uniform encryption practices are maintained across all stages of data handling, ensuring consistent security from upload to storage.

3.2 Data Retention and Deletion

• Retention Policy:

  • All data, including 3D project files and rendered outputs, is retained on our systems for a maximum of 7 days to facilitate user access and efficiency in re-uploads and downloads. This is managed through our synchronized system architecture.
  • Automated backend processes are configured to delete all data post the 7-day retention period, ensuring compliance with our data governance policies.

• Secure Deletion Practices:

  • Data deletion is carried out using reliable mechanisms within our central NAS configured in RAID 10 setup, which also minimizes the risk of data loss due to hardware failures. Once deleted from the NAS, the data is irrecoverably removed, maintaining data privacy and security.

3.3 Backup and Recovery

• Backup Protocols:

  • Daily backups of the entire backend system are performed, which include all active render jobs, user data, credits, and system settings. These backups are stored on a separate network disk and also synced with Amazon Cloud for additional security.
  • The website and its database are similarly backed up daily on Amazon Cloud. Notably, individual project files and user outputs are not included in these backups to prevent excessive data storage and maintain user data confidentiality.

• Disaster Recovery:

  • Our comprehensive backup strategy enables swift recovery from various scenarios, including hardware malfunctions and data corruption.
  • Regular testing of the disaster recovery plan occurs monthly, ensuring its effectiveness and our ability to promptly restore operations without significant data loss.

Conclusion

This chapter outlines the stringent data security measures we employ to protect user data from unauthorized access and data breaches. Through consistent encryption, careful data management, and proactive recovery planning, we strive to maintain a secure and trustworthy environment for all our users.

Chapter Four: Network Security

4.1 Firewalls and Intrusion Detection Systems

• Firewall Implementation:

  • Multiple layers of firewall protection are deployed across our network, including hardware-based firewalls on all machines and additional software firewalls within our systems. This robust configuration ensures that only authorized files and data can enter our network.
  • Our systems are specifically configured to only accept file types that are part of a 3D project, significantly reducing the risk of malicious file uploads.

• Intrusion Detection Systems (IDS):

  • We utilize a proprietary IDS that scrutinizes all incoming files for compliance with our security standards. Any file with extensions that are not pre-approved is automatically removed to prevent potential security breaches.
  • This system is capable of identifying and eliminating scripts and executables that could be harmful, with all operations managed and regularly updated by our skilled backend developers.

4.2 Secure File Transfer

• Protocols and Encryption:
  • Secure file transfers are facilitated using HTTPS and FTPS, incorporating OpenSSL with AES-256 encryption and 2048-bit RSA data encryption to safeguard data in transit.
  • This stringent encryption setup ensures that all data, whether incoming or outgoing, is robustly encrypted using contemporary security protocols.

4.3 Network Monitoring

• Monitoring Tools:

  • Our network is constantly monitored by an advanced backend system that not only tracks all data transfers but also assesses the security of files both pre- and post-upload. This system is designed to detect and respond to any signs of unauthorized access or potential security threats.

• Operational Procedures:

  • Upon detection of any anomaly or suspicious activity, our system automatically initiates security protocols to isolate and mitigate potential threats. This proactive approach allows us to maintain high security standards and react quickly to potential issues.

4.4 Response to Anomalies

• Incident Handling:
  • If a potential security threat is detected, the issue is immediately escalated to our security team. The team follows a structured incident response protocol which includes assessment, containment, eradication, and recovery phases to effectively manage and resolve the situation.
  • Responsibility for overseeing this process lies with our security team leaders, who coordinate response efforts and ensure that all security breaches are handled swiftly and efficiently.

Conclusion

This chapter details the sophisticated network security measures we have in place to protect against unauthorized access and cyber threats. Through continuous monitoring, rigorous encryption, and proactive threat detection, we aim to provide a secure operating environment for all our users and safeguard their data against potential security violations.

Chapter Five: Physical Security

5.1 Datacenter Security

• Physical Access Controls:

  • Access to the datacenter is controlled through a multi-factor authentication system that includes a digital key, biometric (fingerprint) scanning, and a PIN for specific areas like machine racks. This stringent process is designed to ensure that only authorized personnel can access sensitive areas, effectively safeguarding critical infrastructure against unauthorized entry.

• System Integrity and Tamper-Proofing:

  • All access control systems are regularly tested and updated to maintain their operational integrity and to prevent tampering. Regular audits and checks are performed to ensure that these systems meet the latest security standards and are resistant to physical and digital tampering efforts.

5.2 Security Personnel

• Roles and Responsibilities:

  • Security personnel at the datacenter are responsible for monitoring physical access, conducting regular security patrols, and responding to security alerts. Their duties also include maintaining the security of the physical site and managing emergency situations as they arise.

• Contractual Employment:

  • The security staff are contracted through Global-E, our datacenter partner, ensuring that all personnel are highly trained and meet our stringent security requirements. This arrangement allows for specialized security expertise and flexible staffing solutions.

5.3 Environmental Controls

• Safety and Protection Systems:

  • Our facilities are equipped with state-of-the-art HVAC systems and advanced fire suppression technologies to protect against environmental hazards. These systems are critical for maintaining optimal conditions within the datacenter and for protecting hardware from damage due to temperature fluctuations or fire.

• Maintenance and Testing:

  • These environmental control systems are subjected to rigorous maintenance and testing schedules to ensure they are always functional. Regular checks and updates are conducted by certified technicians to uphold safety standards and to prevent any failures during critical operations.

5.4 Hardware Security

• Securing Sensitive Equipment:

  • Sensitive hardware such as servers and storage devices are housed in secured enclosures with restricted access. These enclosures are equipped with locking mechanisms that require authorization for access, minimizing the risk of physical tampering.

• Dedicated Security Zones:

  • Critical hardware areas are designated as high-security zones within the datacenter. Access to these zones is limited to a small number of authorized personnel, and monitored by CCTV systems to ensure that unauthorized access or tampering does not occur.

5.5 Surveillance and Monitoring

• Surveillance Systems:

  • Comprehensive CCTV systems and motion detectors are installed throughout the datacenter and other critical locations to monitor for any unusual activity. These surveillance tools play a key role in our security strategy by providing real-time monitoring of physical movements.

• Data Management and Privacy:

  • Surveillance footage is carefully monitored and stored in secure locations with restricted access. Data privacy protocols are strictly followed to ensure that all surveillance data is handled responsibly and ethically, with footage being used solely for security purposes.

Conclusion

Chapter Five outlines the robust physical security measures in place at our datacenter and associated facilities. Through rigorous access control, dedicated security personnel, advanced environmental protections, and comprehensive surveillance, we strive to maintain a secure and safe environment for all our operations.

Chapter Six: Incident Response

6.1 Incident Detection and Analysis

• Detection Tools:

  • Our security infrastructure includes advanced firewall technologies and proprietary backend software designed to detect unusual activities and potential security threats. These tools are integral to our proactive monitoring strategy.

• Operational Protocols:

  • The tools are configured to analyze network traffic and system activity for anomalies that could indicate a security incident. Automated alerts are generated based on predefined criteria such as unusual access patterns or unauthorized attempts to access sensitive data.

• Roles and Responsibilities:

  • The Head of Security oversees the monitoring of detection tools and is responsible for the initial assessment of alerts. Upon detecting a potential incident, they are tasked with escalating the situation according to the severity and potential impact on our operations.

6.2 Response Strategy

• Immediate Actions:

  • Upon identification of a security incident, immediate actions include isolating affected systems to prevent further damage and assessing the scope and impact of the breach. These initial steps are crucial for containing the incident and mitigating any adverse effects.

• Incident Classification:

  • Incidents are classified according to their severity, which helps in prioritizing our response efforts and allocating resources effectively. This classification is based on the potential impact on our business and the sensitivity of compromised data.

• Communication Procedures:

  • Key personnel within IT and senior management are promptly notified about the incident through encrypted communication channels to ensure confidentiality and swift action.
  • External communications, if necessary, are handled by a designated spokesperson to ensure consistent and accurate messaging to stakeholders and the public.

6.3 Recovery and Post-Incident Analysis

• Recovery Operations:

  • System recovery is initiated immediately, with predefined procedures to restore operations within 30 minutes for software-related issues, thanks to our robust backup systems. Hardware issues are addressed by replacing affected components with ready-to-deploy spares.
  • Recovery time objectives (RTOs) are set at 30 minutes during working hours, ensuring minimal disruption to our services.

• Post-Incident Review:

  • Following a security incident, a thorough analysis is conducted to determine the root cause and evaluate the response efficacy. This review involves key members from our security and IT teams.
  • Lessons learned from the incident are integrated into our ongoing security strategy to enhance our resilience and response capabilities for future incidents. Adjustments may include updates to our security protocols, training for personnel, and improvements in our monitoring and detection systems.

Conclusion

Chapter Six describes our comprehensive approach to incident response, from initial detection to recovery and post-incident analysis. By maintaining strict protocols and a well-coordinated response team, we ensure rapid containment and resolution of security incidents, minimizing potential impacts and continuously improving our security posture.

Chapter Seven: Compliance and Auditing

7.1 Regulatory Compliance

• Adherence to Legal Standards:

  • Our operations are fully compliant with the General Data Protection Regulation (GDPR), ensuring the highest standards of privacy and data protection for our users. We conduct regular reviews of our compliance measures to keep up with any changes in the law.

• Compliance Measures:

  • To guarantee compliance, we implement strict data handling and processing protocols, which are regularly reviewed and updated. These include securing user consent for data processing, ensuring data minimization, and maintaining transparency about data use.

• Data Protection Oversight:

  • The role of overseeing data protection standards and compliance is integrated within the responsibilities of our Head of Security. This ensures that our data protection efforts are aligned with our broader security policies.

7.2 Security Audits

• Audit Frequency and Scope:

  • Security audits are conducted quarterly to ensure that all aspects of our security infrastructure meet or exceed industry standards. These audits are a mix of internal reviews conducted by our own audit team and external evaluations handled by independent auditors.
  • Audits comprehensively cover network and data security, physical security measures, and compliance with privacy laws.

• Audit Execution:

  • Our audit procedures involve systematic checks of all security systems and controls. This includes reviewing access logs, testing security protocols, inspecting physical security measures, and assessing compliance with data protection regulations. The thoroughness of these audits helps in identifying and mitigating any potential security vulnerabilities.

7.3 Penetration Testing

• Testing Frequency and Areas:

  • Penetration testing is performed monthly to proactively identify and address vulnerabilities. These tests primarily focus on evaluating the security of our web applications and network infrastructure.

• Vulnerability Management:

  • Findings from penetration tests are immediately escalated to our security team, who prioritize the remediation based on the severity of the vulnerability. This rapid response ensures that potential security issues are addressed promptly and effectively.
  • A detailed action plan is developed for each identified issue, and progress on remediation efforts is closely monitored by the Head of Security. This systematic approach helps in strengthening our defenses and reducing the risk of security breaches.

Conclusion

Chapter Seven outlines our rigorous compliance and auditing practices, which are fundamental to maintaining high standards of security and data protection. Through regular audits, proactive penetration testing, and strict adherence to legal requirements, we continuously enhance our security posture and ensure compliance with all applicable laws.

Chapter Eight: User Education and Awareness

8.1 Training Programs

• Training Content and Frequency:

  • Our security training programs are comprehensive and mandatory for all employees, covering topics such as data protection, incident response procedures, and safe internet practices. These training sessions are held annually to ensure that all team members are updated on the latest security protocols and threats.

• Training Formats:

  • Given our team's size and structure, training is typically delivered in the form of in-person meetings and presentations. This format allows for interactive discussions and immediate feedback on complex topics, facilitating a deeper understanding of the material presented.

8.2 Security Updates

• Information Dissemination:

  • Security information is primarily communicated through personal communications or during scheduled meetings where security updates and policies are a standing agenda item. This approach ensures that all team members are informed and can discuss new threats or changes in policies in real-time.

• Regular Updates:

  • During these meetings, we also discuss recent security threats and any relevant updates to our security strategies. This regular review helps maintain a high level of awareness and preparedness among our staff.

8.3 Engagement Strategies

• Maintaining Engagement:
  • Our approach to engaging staff in security matters is integrated into their professional development. By recruiting highly trained professionals and fostering a culture of continuous improvement, we ensure that security remains a priority for all employees without the need for additional enforcement or engagement strategies.

Conclusion

Chapter Eight outlines the strategies we employ to educate our team and keep them informed about security practices and threats. Through annual training sessions and regular, detailed discussions at team meetings, we ensure that every team member is knowledgeable and vigilant about maintaining our high standards of security.

Chapter Nine: Software and Application Security

9.1 Development Security

• Security Practices in Development:

  • Our development team adheres to best practice security protocols throughout the software creation process. This includes secure coding practices to prevent common vulnerabilities and regular code reviews to ensure quality and security.

• Integration of Security in SDLC:

  • Security is a foundational aspect of our software development lifecycle. Although formal security audits are reserved for major changes, ongoing informal reviews and discussions about security occur at all stages of development, involving all relevant personnel.

9.2 Patch Management

• Patch Management Procedures:
  • Patch management is a critical function performed by our IT staff, focusing on keeping all network components, datacenter hardware, and software applications up to date. Patches for our proprietary software are developed continuously as vulnerabilities are identified, ensuring rapid deployment and minimal risk.
  • Our approach ensures that all systems, including operating systems like Windows, are updated at regular intervals (every two months for OS patches) and more frequently as needed for critical vulnerabilities.

9.3 Response to Vulnerabilities

• Vulnerability Management:
  • When vulnerabilities are discovered, they are promptly addressed by our development team. A structured process is in place to develop, test, and deploy patches efficiently to mitigate any potential security risks.

9.4 Application Security

• Proactive Security Measures:
  • To protect our applications from external threats, we implement several security measures, including the use of Web Application Firewalls and rigorous security testing routines.
  • Applications are continuously monitored for signs of security breaches, and potential threats are addressed immediately to prevent any exploitation.

9.5 Security Testing

• Testing Protocols:
  • Our security strategy includes comprehensive testing such as penetration testing and vulnerability scanning to identify and address potential security issues before they can be exploited.
  • These tests are conducted regularly, ensuring that our applications remain secure against evolving threats.

Conclusion

Chapter Nine details the stringent measures we take to ensure the security of our software and applications. From rigorous development protocols and continuous patch management to proactive monitoring and regular security testing, we are committed to maintaining the highest standards of software security.