Constant vulnerability testing, including during code development and from third party security firms.
Hosted by Amazon Web Servers, and taking full advantage of Amazon’s security and infrastructure capabilities.
Security Policy, Security Practices, Incident Response and Acceptable IT Use documentation available for review.
What if there is a problem with Tribal Habits?
Tribal Habits availability is consistently above 99.99%. Customer data is backed up daily allowing a point in time restore for our back-end databases in the event of disaster recovery. If we ever have a customer-impacting situation, we will make you aware of it via emails to portal administrators and keep you continually updated. Our status page (status.tribalhabits.com) is also continuously updated with incident responses, as well as planned outages.
Does Tribal Habits monitor its systems and software?
Yes. The application and infrastructure behaviour of Tribal Habits is monitored using multiple solutions including Amazon Web Services (AWS) CloudWatch alarms, New Relic infrastructure monitoring and Rollbar error reporting for both server and client errors. Our status page (status.tribalhabits.com) provides real time reporting on key infrastructure. We also utilise Amazon Guard Duty to use machine learning techniques for constant monitoring of unauthorised access to our servers and APIs.
Does the Tribal Habits platform contain system redundancy?
Yes. Every part of the Tribal Habits platform is distributed across multiple instances and availability zones within the Amazon Web Services (AWS) infrastructure. Databases, application servers, web servers, jobs servers, and load balancers as well as backend support services all have multiple failover instances to prevent outage from single points of failure.
Can I use SSL (TLS) on my Tribal Habits portal?
Yes. All communication to and from Tribal Habits servers use HTTPS to both encrypt all communications to maintain privacy and provide a guarantee of Tribal Habits server authenticity. The SSL certificate is a SHA2 certificate using a full 2048 bit key, and issued by DigiCert, a trusted certificate authority.
Is my Tribal Habits portal protected by a network firewall?
Yes. Tribal Habits utilises a combination of tools to protect the Tribal Habits infrastructure. First, network-level firewalling is used to restrict direct access to our AWS servers to specified IP addresses. Second, we utilise a Web Application Firewall (WAF) through AWS. Our WAF rules are maintained by recognised, industry leading security groups to block known malicious websites, bots and scrappers. In addition, AWS has significant built-in Distributed Denial of Service (DDoS) prevention measures to protect all Tribal Habits portals from attacks. We utilise a variety of real-time monitoring to alert to any unexpected data usage and have the ability to add server instances in response to unexpected high server usage.
Does Tribal Habits incorporate security into software development?
Ues. Tribal Habits code is high quality from conception to deploy. We use automated static code analysis (Brakeman Security Scanner) alongside human review to ensure development best practices are implemented across code pushes. Responsive software development means new features, resiliency improvements, and bug fixes arrive weekly (often daily), and seamlessly.
How is customer data stored and backed up?
Within the Tribal Habits platform, customer data is stored in a secure Amazon RDS. This customer database is backed up daily and stored for 35 days. These back-ups can be used for disaster recovery purposes by Tribal Habits (whole system restore). Where a client requests a backup of their own data from a point in time (e.g. they deleted something and now they want it back), we cannot guarantee this will be possible at all times if our platform/database has upgraded/changed structure.
How does Tribal Habits separate customer data?
Tribal Habits organisations are ‘walled’ from each other. Each organisation has their own subdomain for accessing Tribal Habits. Users can login can only via their own subdomain and are blocked from accessing any other subdomains. All content created by users in an organisation is only visible to other users of the same organisation. All URLs are authenticated against the user’s organisation, preventing anyone from sharing URLs to people outside their organisation.
Is the use of live data for system and application testing forbidden?
Yes. We only use dummy data for our testing and preview environments.
How are Tribal Habits servers hosted?
The Tribal Habits platform is run on fault-tolerant servers at Amazon Web Services (AWS). Our servers at AWS are backed by UPS electricity supply, 24 hour monitoring of electrical, mechanical and life support systems, automatic fire detection and suppression equipment, climate controlled environments, and NIST 800-88 destruction techniques for decommissioned storage devices. Our servers at AWS are hosted in multiple availability zones in each location, with each availability zone physically separated from each other to minimise risks of concurrent physical impacts on servers.
Where is Tribal Habits customer and user data stored?
All customer data, with the exception of video data, is stored on AWS servers and databases located in Sydney, Australia. Video data is stored in a dedicated third-party video hosting environment and distributed by Tier 1 CDNs located globally. All video data has restricted access (cannot be downloaded; can only be viewed within the secure Tribal Habits environment). Access to video data by Tribal Habits employees is limited to the CEO. Tribal Habits as a company also stores some customer data for marketing, management, finance and administrative purposes internally. To clarify, this is limited to information such as customer logos, invoices and customer marketing communications. Such administrative data is stored in a major cloud storage environment with access strictly limited to Tribal Habits staff (no contractors or third parties) on a user-by-user basis, with version history, back-ups and access monitoring.
Can the Tribal Habits software respond quickly to new security threats?
Yes. Between our streamlined, rapid approach to application delivery and our highly automated server infrastructure, Tribal Habits’ quickly addresses security issues as they arise. These technology and process structures allow Tribal Habits to rapidly adapt as new threats are identified.
Does Tribal Habits rapidly patch and update identified vulnerabilities?
Yes. Tribal Habits’ patch management process pushes security updates fast and consistently. First, the Tribal Habits application is developed in the Ruby on Rails environment which provides significant security features within the Rails framework. Second, we utilise static code scanning during development and all new deployments via the Brakeman security scanner. Third, Amazon provides daily patches to all our platform infrastructure and regularly updates to our application operating system. Fourth, we utilise Amazon Inspector, an automated security assessment service, to asses our Amazon servers against a range of vulnerabilities and deviations from best practice on a weekly basis. Finally, our development roadmap allocates developer time every month to the review, patching, updating and replacement of software libraries and plug-ins to ensure our core code base and tech stack remains current.
Does Tribal Habits have an incident response program?
Tribal Habits’ Cybersecurity Incident Response Plan is responsive and repeatable. We use standard incident response process structures to ensure that the right steps are taken at the right time.
Does Tribal Habits bring in outside third parties to find security issues?
Yes. First, we utilise the Amazon Inspector application on a weekly basis for regular testing against common vulnerabilities. Second, we bring in industry-respected 3rd party penetration testing firms annually to test the Tribal Habits infrastructure in October of each year. Finally, we also have internal and external audit processes to ensure that processes are implemented and working as intended.
Does Tribal Habits test against the OWASP Top Ten framework?
Yes. Code for Tribal Habits is specifically developed and tested following principles set out in the Open Web Application Security Project (OWASP) Top Ten framework via static security scanning and Amazon Inspector. Specific reporting against all elements of the framework is included in 3rd party security reviews.
How does Tribal Habits utilise Identity Account Management?
Within our Amazon Web Services (AWS) environment, we utilise a strict Identity Account Management framework. Access to the Root Account at AWS is held only by the Tribal Habits CEO with a two-factor login process. Other employee access to AWS is limited to the CTO and is also conducted via two-factor authentication. Security Policies are applied to all AWS identities, limiting access to servers, databases and file storage based on their role and/or purpose. Outside of AWS, we utilise a centralised password management system for all Tribal Habits staff and our applications and integrations. Internally, we require minimum 20 character randomly generated passwords. The password management system conducts regular audits of staff logins to ensure strong passwords and allows for bulk-password changes in the event of any security concern.
What are the password requirements for customers?
The passwords for customers and their users are stored in an encrypted environment. Passwords can be set or reset by customer administrators, but cannot be viewed. Users can also request password resets of their own password through an automated email service. Tribal Habits user accounts are automatically locked after 10 failed password attempts and can only be unlocked by their portal administrator. User passwords must meet a minimum of 8 characters with 1 upper case, 1 lower case and 1 numeric character.
How are users and privileges managed within the Tribal Habits portal?
All users within Tribal Habits have a unique log-in ID. This log-in ID is tracked each time it us used to access a portal. Each log-in ID can only access the unique Tribal Habits portal is it assigned to. Each log-in ID is linked to a two hour time-expiring session cookie. Some users within each Tribal Habits portal can be granted Administrative privileges for their portal. Administrative privileges can only be granted by an existing Administrator within your platform. To provide support, servicing and testing, some Tribal Habits staff have Super Administrator privileges which grant access to all Tribal Habits portals. Super Administrators can only be created manually by the Tribal Habits CEO and CTO, and are restricted to vetted internal Tribal Habits staff only.
Can customers use single-sign-on authentication?
Yes. Tribal Habits supports the SAML 2.0 single sign on (SSO) protocols for customers wishing to further improve user security. Please contact Tribal Habits Support to activate SAML on your portal.
What steps does Tribal Habits take to improve employee security?
All employees must successfully complete a security background check before working at Tribal Habits. Tribal Habits regularly communicates with staff about its obligation to safeguard confidential information. We provide online training on confidentiality, privacy, and information security for all new employees. In addition, all staff are required to complete an annual privacy and security training and are tested on the materials presented. Every employee must follow our code of conduct, sign a confidentiality and non-disclosure agreement as a condition of employment, and follow our information security policies. We conduct random audits of each employee’s IT and physical security measures.