Security

What if there is a problem with Tribal Habits?

Tribal Habits availability is consistently above 99.99%. Customer data is backed up daily allowing a point in time restore for our back-end databases in the event of disaster recovery. If we ever have a customer-impacting situation, we will make you aware of it via emails to portal administrators and keep you continually updated. Our status page (status.tribalhabits.com) is also continuously updated with incident responses, as well as planned outages.

Does Tribal Habits monitor its systems and software?

Yes. The application and infrastructure behaviour of Tribal Habits is monitored using multiple solutions including Amazon Web Services (AWS) Control Tower, Guardduty and CloudWatch alarms, as well as error reporting for both server and client errors. Our status page (status.tribalhabits.com) provides real time reporting on key infrastructure.

Does the Tribal Habits platform contain system redundancy?

Yes. Every part of the Tribal Habits platform is distributed across multiple instances and availability zones within the Amazon Web Services (AWS) infrastructure. Databases, application servers, web servers, jobs servers, and load balancers as well as backend support services all have multiple failover instances to prevent outage from single points of failure.

Can I use SSL (TLS) on my Tribal Habits portal?

Yes. All communication to and from Tribal Habits servers use HTTPS (TLS only – SSL is no longer supported) to both encrypt all communications to maintain privacy and provide a guarantee of Tribal Habits server authenticity. Our HTTPS certificate is a SHA2 certificate using a full 2048 bit key, and issued by AWS and renewed every 12 months.

Is my Tribal Habits portal protected by a network firewall?

Yes. Tribal Habits utilises a combination of tools to protect the Tribal Habits infrastructure.

• First, network-level firewalling is used to restrict direct access to our AWS servers to specified IP addresses.
• Second, we utilise a Web Application Firewall (WAF) through AWS to block known malicious websites, bots and scrappers. In addition, AWS has significant built-in Distributed Denial of Service (DDoS) prevention measures to protect all Tribal Habits portals from attacks.

We utilise a variety of real-time monitoring to alert to any unexpected data usage and have the ability to add server instances in response to unexpected high server usage.

Does Tribal Habits incorporate security into software development?

Yes. Tribal Habits code is high quality from conception to deploy. We use automated static code analysis alongside human review to ensure development best practices are implemented across code pushes. Responsive software development means new features, resiliency improvements, and bug fixes arrive weekly (often daily), and seamlessly.

How is customer data stored and backed up?

Within the Tribal Habits platform, customer data is stored in a secure, encrypted Amazon RDS. This customer database is backed up daily and stored for 35 days. These back-ups can be used for disaster recovery purposes by Tribal Habits (whole system restore). Where a client requests a backup of their own data from a point in time (e.g. they deleted something and now they want it back), we cannot guarantee this will be possible at all times if our platform/database has upgraded/changed structure.

How does Tribal Habits separate customer data?

Tribal Habits organisations are ‘walled’ from each other (separate schemas within our database). Each organisation has their own subdomain for accessing Tribal Habits. Users can login can only via their own subdomain and are blocked from accessing any other subdomains (user accounts are linked to a single schema). All content created by users in an organisation is only visible to other users of the same organisation. All URLs are authenticated against the user’s organisation, preventing anyone from sharing URLs to people outside their organisation. As noted above, video assets cannot be downloaded and are restricted to playback by authenticated users within their Tribal Habits portal. Images and files displayed or made available in your Tribal Habits modules using four-hour time expiring URLs.

Is the use of live data for system and application testing forbidden?

Yes. We only use dummy data for our testing and preview environments.

How are Tribal Habits servers hosted?

The Tribal Habits platform is run on fault-tolerant servers at Amazon Web Services (AWS). Our servers at AWS are backed by UPS electricity supply, 24 hour monitoring of electrical, mechanical and life support systems, automatic fire detection and suppression equipment, climate controlled environments, and NIST 800-88 destruction techniques for decommissioned storage devices. Our servers at AWS are hosted in multiple availability zones in each location, with each availability zone physically separated from each other to minimise risks of concurrent physical impacts on servers.

Where is Tribal Habits customer and user data stored?

All customer data, with certain secure integrations as outlined below, is stored on AWS servers and databases located in Sydney, Australia. Our databases are encrypted at rest with an AWS customer master key and industry standard AES-256 encryption.

We integrate with a limited number of major external providers for critical systems. We review and select trusted, global and large providers for our critical integration and use only secure RESTful APIs to transfer only necessary data. Access to data stored by our trusted external partners is limited to employees authorised for that specific purpose. Some limited customer data is stored securely in the US with our integration partners. Please contact us for more information about secure storage.  

Tribal Habits as a company also stores some customer data for marketing, management, finance and administrative purposes internally. To clarify, this is limited to information such as customer logos, invoices and customer marketing communications. Such administrative data is stored in a major cloud storage environment with access strictly limited to Tribal Habits staff (no contractors or third parties) on a user-by-user basis, with version history, back-ups and access monitoring.

Can the Tribal Habits software respond quickly to new security threats?

Yes. Between our streamlined, rapid approach to application delivery and our highly automated server infrastructure, Tribal Habits’ quickly addresses security issues as they arise. These technology and process structures allow Tribal Habits to rapidly adapt as new threats are identified.

Does Tribal Habits rapidly patch and update identified vulnerabilities?

Yes. Tribal Habits’ patch management process pushes security updates fast and consistently.

• First, the Tribal Habits application is developed in the Ruby on Rails environment which provides significant security features within the Rails framework.
• Second, we utilise static code scanning during development and all new deployments via the Brakeman security scanner.
• Third, Amazon provides daily patches to all our platform infrastructure and regularly updates to our application operating system.
• Finally, our development roadmap allocates developer time every month to the review, patching, updating and replacement of software libraries and plug-ins to ensure our core code base and tech stack remains current.

Does Tribal Habits have an incident response program?

Tribal Habits’ Cybersecurity Incident Response Plan is responsive and repeatable. We use standard incident response process structures to ensure that the right steps are taken at the right time.

Does Tribal Habits bring in outside third parties to find security issues?

Yes.

First, we conduct annual external 3rd party vulnerability and penetration testing. This includes automated testing against the OWASP framework as well as open ‘white hat’ hacking attempts as both external, non-privileged and privileged users.

Second, we conduct annual external 3rd party reviews against the AWS Well Architected framework for additional testing of our core infrastructure.

Finally, we also have internal and external audit processes to ensure that processes are implemented and working as intended.

Does Tribal Habits test against the OWASP Top Ten framework?

Yes. Code for Tribal Habits is specifically developed and tested following principles set out in the Open Web Application Security Project (OWASP) Top Ten framework. Specific reporting against all elements of the framework is included in 3rd party security reviews.

How does Tribal Habits utilise Identity Account Management?

Within our Amazon Web Services (AWS) environment, we utilise a strict Identity Account Management framework. Access to the Root Account at AWS is held only by the Tribal Habits CEO with a two-factor login process. Other employee access to AWS is limited to the CTO and is also conducted via two-factor authentication. Security Policies are applied to all AWS identities, limiting access to servers, databases and file storage based on their role and/or purpose. AWS Guard Duty is activated to alert any unusual IAM (or API) activity. We have separate AWS accounts for production and staging environments, as well as for finance and disaster recovery, to provide additional layers of protection between our core infrastructure. 

Outside of AWS, we utilise a centralised password management system for all Tribal Habits staff and our applications and integrations. Internally, we require minimum 20 character randomly generated passwords. The password management system conducts regular audits of staff logins to ensure strong passwords and allows for bulk-password changes in the event of any security concern.

What are the password requirements for customers?

The passwords for customers and their users are stored in an encrypted environment (salted and hashed). Passwords must meet minimum requirements (8 characters, upper and lower characters, including a number or non-standard character). Passwords can be set or reset by customer administrators, but cannot be viewed. Users can also request password resets of their own password through an automated email service. Tribal Habits user accounts are automatically locked after 10 failed password attempts and can only be unlocked by their portal administrator. Neither Tribal Habits staff nor portal admins can see or access user passwords.

How are users and privileges managed within the Tribal Habits portal?

All users within Tribal Habits have a unique log-in ID. This log-in ID is tracked each time it us used to access a portal. Each log-in ID can only access the unique Tribal Habits portal is it assigned to. Each log-in ID is linked to a twelve hour time-expiring session cookie.

Some users within each Tribal Habits portal can be granted Administrative privileges for their portal. Administrative privileges can only be granted by an existing Administrator within your platform. To provide support, servicing and testing, some Tribal Habits staff have Super Administrator privileges which grant access to all Tribal Habits portals. Super Administrators can only be created manually by the Tribal Habits CEO and CTO, and are restricted to vetted internal Tribal Habits staff only.

Can customers use single-sign-on authentication?

Yes. Tribal Habits supports the SAML 2.0 single sign on (SSO) protocols for customers wishing to further improve user security. Please contact Tribal Habits Support to activate SAML on your portal.

What steps does Tribal Habits take to improve employee security?

All employees must successfully complete a security background check before working at Tribal Habits. Tribal Habits regularly communicates with staff about its obligation to safeguard confidential information. We provide online training on confidentiality, privacy, and information security for all new employees. In addition, all staff are required to complete an annual privacy and security training and are tested on the materials presented. Every employee must follow our code of conduct, sign a confidentiality and non-disclosure agreement as a condition of employment, and follow our information security policies. We conduct random audits of each employee’s IT and physical security measures.