Security

Backups / Disaster Recovery

We keep full backups of each equicty database for up to 90 days. Backups

are replicated in multi regions data centers in Europe.

Hardware failover

For services hosted on bare metal, where hardware failure is possible, we

implement local hot standby replication, with monitoring and a manual

failover procedure that takes less than 5 minutes.

Disaster recovery

In case of complete disaster, with a data center entirely down for an

extended period, preventing the failover to our local hot-standby (never

happened so far, this is the worst-case plan), we have the following

objectives:

• RPO (Recovery Point Objective) = 24h. This means you can lose max 24h

of work if the data cannot be recovered and we need to restore your

latest daily backup.

• RTO (Recovery Time Objective) = 24h for paid subscriptions, 48h for free

trials, education offer, freemium users, etc. This is the time to restore the

service in a different data center if a disaster occurs and a datacenter

is completely down.

• How is this accomplished: we actively monitor our daily backups, and

they are replicated in multiples locations. We have automated

provisioning to deploy our services in a new hosting location. Restoring

the data based on our backups of the previous day can then be done

in a few hours (for the largest clusters), with priority on the paid

subscriptions.

• We routinely use both the daily backups and provisioning scripts for daily

operations, so both parts of the disaster recovery procedure are tested

all the time.

Security

Database

Customer data is stored in a dedicated database – no sharing of data

between clients. Data access control rules implement complete isolation

between customer databases running on the same cluster, no access is

possible from one database to another.

Password policy and storage

To access equicty, you need to provide a strong password of at least 6

characters. We do not store these user passwords in plain text, we only store

one-way encrypted password hashes including a per-user-random-salt. This

protects users against rainbow table attacks and encrypted password

matching. Equicty staff does not have access to your password, and cannot

retrieve it for you, the only option if you lose it is to reset it.

If users enter incorrect passwords multiple times in a row, the account will be

temporarily locked to prevent brute-force attacks.

Encrypting data in transit

All traffic to equicty passes through an SSL-encrypted connection, and we only

accept traffic through port 443. A response of our SSL configuration can be

found here.

Encrypting data at rest

All data stored on equicty systems is encrypted at rest. Information stored in

our database systems or on our file systems is encrypted using the industry

standard AES-256 encryption algorithm. GCP stores and manages data

cryptography keys in its redundant and globally distributed Key Management

Service.

This means that even if an intruder were ever able to access any of the physical

storage devices, the data contained therein would still be impossible to

decrypt without the keys, rendering the information useless.

GCP security practices

Equicty uses Google Cloud (GCP) to store user data. These servers undergo

recurring assessment to ensure compliance with the latest industry standards

and continually manages risk. By using GCP as our data center, our

infrastructure is accredited by:

• ISO/IEC 27001/27017/27018/27701

• SOC 1/2/3

• PCI DSS, and FedRAMP certifications

• alignment with HIPAA, GDPR, and CCPA

More information about GCP security van be found here.

Request throttling and tracking

We block requests originating from known, vulnerable IP addresses or ranges.

Requests that originate from the same IP are throttled and rate-limited to avoid

potential misuse.

Credit card safety

We never store credit card information on our own systems. Your credit card

information is always transmitted securely between you and our payment

service providers.

Secure by design

Equicty is designed in a way that prevents introducing most common security

vulnerabilities:

• SQL injections are prevented by the use of a higher-level API that does

not require manual SQL queries.

• XSS attacks are prevented by the use of a high-level templating system

that automatically escapes injected data.

The framework prevents RPC access to private methods, making it harder to

introduce exploitable vulnerabilities.

Organization

Our team uses strong, unique passwords for equicty accounts and has set up

Two-Factor Authentication for each device and service they use. All equicty

employees are encouraged to use password manager software (LastPass,

1Password, …) to generate and store strong passwords.

We also make sure to encrypt local hard drives and enable automatic screen

locking. All access to application admin functionalities is restricted to a select

group of people.