SOC-2 Self Assessment
At NablaFlow we are aware that the data you upload to our service is sensitive and is of critical importance for your organisation. For this reason we are continuously making strong efforts to keep your data safe, by taking a state of the art approach towards security and privacy.
To evaluate the state of security and privacy at NablaFlow and provide our customers with strong guarantees about the policy involved, we decided to begin the journey to become a SOC-2 certified organisation. SOC (System and Organisation Controls) is, alongside ISO 27001, one of the industry standard for security and privacy.
This document describe the state of SOC trust service criteria currently in place at NablaFlow.
Trust service criteria
SOC-2 lists five trust service criteria:
- Security: information systems are protected against unauthorised access, unauthorised disclosure of information or damage that could compromise availability, privacy, integrity and confidentiality.
- Availability: Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity: System processing is complete, valid, accurate, timely and authorised to meet the entity’s objectives.
- Confidentiality: Confidential information is protected to meet the entity objectives.
- Privacy: Personal information is collected, used, retained, disclosed and disposed to meet the entity’s objectives.
This criteria apply to the following components:
- Infrastructure: IT systems and other hardware, including computers, equipment, mobile devices and networks.
- Software: Application software and IT system software that support them, such as operating systems or utilities.
- People: Individuals involved in the operation, governance, operation and use of a system (for instance developers, operators, managers).
- Procedures: Automated or manual procedures.
- Data: Input and outputs provided to a system (for example log files, databases, transaction streams, files).
At NablaFlow an internal designated team is in charge of the security of our infrastructure, software and data. Our team follows the industry best practices and is regularly trained through courses and training material.
NablaFlow services are hosted in a secure environment provided by Amazon Web Services. AWS provides a list of certifications and third party assessments to ensure best security practices. For more information on AWS compliance, please see here.
Data processing happens exclusively on the eu-west-1 region (Ireland), inside any of the three Availability Zones provided by AWS. Each availability zone is physically isolated to make sure failures at one location won’t affect another availability zone.
Relying completely on AWS means that we benefit from the activities they regularly perform on their data centers: security controls and restricted access to the hardware, immediate response to failures or any kind of hazard and automated response to availability or capacity issues. More information on AWS data centers and their security controls can be found here.
NablaFlow’s production data lives in a dedicated and strongly protected AWS account with a single Virtual Private Cloud, with no connection to test data or development artefacts. Access to the production account is limited to a subset of NablaFlow employees, and regularly monitored by the security team.
All services except the public facing ones are not publicly exposed but they are accessible only through a Virtual Private Network, to limit privilege escalation and reduce the attack surface of our infrastructure. Gateways are in place to act as bridges, in order to limit inbound and outbound traffic to the services.
Backups are stored twice: in the same region as our services (eu-west-1) and in the eu-central-1 region, so they can survive and be restored in the face of a complete region disruption. All datacenters are within the EU and comply with GDPR rules.
At NablaFlow we are aware that security is not only implemented by configuring our infrastructure but instead it’s much wider topic that involves individuals and processes. We are proud to have a team that includes security as part of our company culture.
From the moment a new team member joins the company, we provide a set of instructions to ensure all company defined security practices are followed. Some examples are the use of 2-factor authentication on all services, the use of a password manager to keep their passwords safe, full hard drives encryption by default, fast screen lock with password for computers in our offices and so on.
Regular training and assessments are performed on all employees to increase their security awareness.
NablaFlow general approach to product security follows the principle of layered defense. Because potential Internet security risks can occur at a variety of levels, we defined a set of security measures that provide multiple layers of defense in response to those security risks. Using a layered approach improves the likelihood that an attacker who penetrates one layer of defense will be stopped by a subsequent layer, mitigating the possible damages.
NablaFlow also follows the zero trust security model: no service is considered trusted by default, each instance that runs our code is configured following the principle of least privilege where only the necessary permissions to execute its task are provided and nothing more.
At the network level the use of a Virtual Private Cloud provides one layer of isolation between our services and the public internet. Firewall rules are in place to prevent unauthorised access and to reduce the attack surface. The use of a load balancer combined with a rate limiter lowers the risk of DDoS attacks.
The service oriented architecture we have in place ensures each component is isolated from other components and guarantees that a breach into one service won’t affect other services.
We heavily rely on encryption: all data in transit to or from our AWS VPC is encrypted, all data at rest (stored on our S3 buckets) is also encrypted according to the industry standard AES-256.
Logins and registration are provided through an open source identity provider (Ory Kratos), which is widely used in the industry and maintained by an ISO 27001 certified company. The IDP provides protection over brute-force attacks through slow password hashing and rate limiting. All passwords are strongly hashed and nobody can recover them even with access to the IDP database. Not even NablaFlow employees.
At the application level, every tool used within our infrastructure is being tracked automatically for new releases and promptly upgraded in case of security issues. Our engineers use the same track and upgrade policy for the libraries we rely upon in our codebase.
NablaFlow provides 2-step verification to add an extra layer of protection to user accounts. This feature is available though the settings panel.
Also NablaFlow enforces a “always use MFA” policy on all employees for the services they use professionally.
NablaFlow has an onboarding and offboarding procedure for employees, which is followed by the security team in case of new hires or in case someone leaves the company.
This ensures no employee who left the company can access internal systems or other tools after the expiration of the contract.
NablaFlow is relied on from companies and individuals, every one of them deserves a platform they can count on. With robust uptime guarantees and redundancy we aim to be there when our users needs us.
NablaFlow services are provided through a cluster based on the AWS Elastic Kubernetes Service (EKS). This system allows us to replicate services easily and scale them up and down according to the demand. Whenever a crash occur, the same system is able to automatically react and recover, eventually routing the traffic to another instance, all without human intervention.
The same principles are applied when we release new version of our products: replicated instances work as fallback during the upgrades, this way users won’t be affected by any downtime.
Data is stored on AWS S3 and automatically replicated in multiple availability zones to ensure redundancy.
NablaFlow uses a set of tools to measure the performance of its information systems:
- CloudWatch, provided by AWS, to get a general view of the cluster status
- Prometheus to collect health metrics related to the instances
- Grafana, to monitor application and simulation performances
All these tools are connected to an AlertManager instance that, when an anomaly is detected, sends notifications about system status through different channels, from the internal chat to email addresses.
Logs are collected through Grafana Loki, stored on AWS S3 in a restricted access bucket and made accessible only through a protected Grafana instance.
Backups and disaster recovery
The following backups are executed daily:
- Relational databases
- Infrastructure configuration
Data is stored on an S3 bucket with limited access in the AWS eu-west-1 region (Ireland) and then replicated to eu-central-1 (Frankfurt).
NablaFlow uses only "infrastructure as code" tools (Terraform) to configure the information systems, this allows for a quick disaster recovery starting from the backups even in case of large outage or cluster destruction.
Testing for this kind of scenario has been planned for the coming months.
When an incident occurs, NablaFlow follows a standard incident response plan.
Incidents can be detected internally through our monitoring infrastructure, by employees or externally by a customer. Customers can always reach NablaFlow through the communication channels listed on the website to report incidents.
Any incident is handled through a dedicated channel on our company chat where decisions and actions to solve the incident are taken. A post-morten is written on the company wiki to document the incident, starting from the problem investigation, to the measures taken to contain the incident, to the solution and lessons learned.
We guarantee that every information you add to NablaFlow can only be accessed through your user account.
There are two exception to this rule:
- when you share data with someone, which is possible only from your user account with an explicit action
- when one of our employees needs to access your data to provide support or fix bugs
All NablaFlow employees and contractors sign a confidentiality agreement which persists after the termination of their contract, preventing them to expose any user information outside of the company.
User data is stored on NablaFlow servers until a user deletes their account. After deleting a user account, we provide a 60 days period before physically deleting all user’s data.
It’s always possible to request anticipated or immediate deletion of all user data by contacting NablaFlow. One member of our team will process the request and physically delete all user contents.
At NablaFlow quality is enforced through standardised processes and automated tools, and is regularly assessed through a set of metrics.
The quality metrics we defined are the following:
- System uptime
- Web interface functionality
- Web interface page speed and responsiveness
- Simulation time
- Accuracy of simulation results
In order to meet the highest quality requirements, a set of practices have been implemented that is shared between our information system components.
System uptime is monitored continuously through automated tools which sends alerts to our infrastructure team, as soon as a single component in our infrastructure happens to malfunction.
Deploying a new version of our software doesn’t affect system uptime: instances are replicated and in case of failures the deploy is automatically reverted to the last working version.
Web interface functionality
To ensure functionality of our web interface and reduce the change of regressions we follow the industry best practices in terms of code development and delivery:
- Code reviews: Each contribution made to our codebase is peer reviewed by other members of the engineering team and must be accepted before landing on the main branch.
- Automated testing: Contributions must provide automated tests to be accepted.
- Continuous integration: Whenever a contribution is created, the continuous integration system we have in place runs all the application tests and performs quality controls to ensure the new changes meet our standards and do not contain regressions. Changes are rejected until the continuous integration returns a positive outcome for all the quality controls.
- Manual testing: All contributions are manually tested before landing in on the main branch. Failing to meet the expectations means the changes are temporary rejected until a fix is made.
Changes are not added to the services unless they pass all the previous steps.
The codebase of our services relies on external open source third-party software packages or tools. At NablaFlow we ensure those projects meet the above quality terms with an internal assessment.
NablaFlow uses a tool to track exceptions on the production environment (Sentry). Data sent to that service is anonymised.
Web interface page speed and responsiveness
Page speed is continuously monitored through automated in-browser tools.
Several components of our monitoring infrastructure are in place to track the speed of each simulations and ensure consistent execution times, while identifying slowdowns due to regressions or code errors.
A continuous evaluation for alternative solutions that can reduce the simulation execution time is made by the engineering and infrastructure teams and covers:
- new hardware releases
- speed up components of our information system by rewriting them using more performant solutions
Accuracy of simulation results
NablaFlow simulation results are validated against wind tunnel experiments for multiple applications, including cycling, alpine skiing, automotive, bridge design.
Scientific articles have been published on scientific journals to compare the results.
Behind the scenes, numerous metrics regarding meshing quality and convergence are evaluated for each simulation to ensure that the results we provide are up to our standards.
Software processes are monitored with continuous integration and code reviews.
Data inputs are associated with unique coded, so that outputs can be traced back to their inputs correctly.
Output values are compared against prior cycle values. Variance greater than a defined amount is flagged and investigated manually.
Incidents are tracked on the Incidents journal and reviewed to take the necessary countermeasures.
At NablaFlow privacy is regulated according with the terms defined by the General Data Protection Regulation (GDPR).
Recognised as one of the most comprehensive data protection law in the world, it regulates and protects the processing of personal information, expanding the rights granted to individuals and ensuring companies are transparent about the data they collect and use.
Every NablaFlow employee and contractor signs up to non-disclosure agreement to maintain the confidentiality and security of your data.
NablaFlow collects only a tiny amount of personal data needed for authentication and communication reasons. Any vendor that gets in touch with personal data is carefully chosen between the ones that fully respect the GDPR and provides the same guarantees we provide to you.