Security

Updated

Security and compliance are top priorities for Nabla because they are fundamental to your experience with the product. Nabla is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.

Nabla uses a variety of industry-standard technologies, services and processes to secure your data from unauthorized access, disclosure, use, and loss.

Organizational Security

Information security program

We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 Type II and ISO 27001 frameworks, and has obtained the associated certifications.

Third-Party Audits

Our organization undergoes independent third-party assessments to test our security and compliance controls.

Third-Party Penetration Testing

We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.

Intrusion Detection

Unusual network patterns or suspicious behavior are among Nabla’s most significant concerns for infrastructure hosting and management. Google Cloud Platform’s intrusion detection system (IDS) relies on signature-based security to identify traffic patterns that are similar to known attack methods.

Nabla does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.

Roles and Responsibilities

Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all the security policies.

Security Awareness Training

Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.

Confidentiality

All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.

Malware Protection

At Nabla, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations are enrolled in Mobile Device Management (MDM) to enforce security settings including full-disk encryption, screen lock, and strong password policy.

Cloud Security

Cloud Infrastructure Security

All our services are hosted with Google Cloud Platform. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit GCP Security.

Data Hosting Security

All our data is hosted on Google Cloud Platform databases and storage buckets. These databases are located in the region you choose when you create your organization.

Encryption at Rest

All data is encrypted at rest using AES-256. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the Nabla data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.

Encryption in Transit

Nabla exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application and APIs.

Vulnerability Scanning

We perform vulnerability scanning and actively monitor for threats.

Logging and Monitoring

We actively monitor and log various cloud services.

High Availability

Every part of the Nabla service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity and Disaster Recovery

Nabla keeps encrypted backups of data in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.

We utilize monitoring services to alert the team in the event of any failures affecting users.

Incident Response

We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.

Access Security

Physical Access Control

Nabla is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as:

  • Custom-designed electronic access cards
  • Alarms
  • Vehicle access barriers
  • Perimeter fencing
  • Metal detectors
  • Biometrics

According to the Google Security Whitepaper: Google data centers also implement “security measures such as laser beam intrusion detection and 24/7 monitoring by high-resolution interior and exterior cameras” to detect and track intruders. In addition, “access logs, activity records, and camera footage are available in case an incident occurs” and “experienced security guards, who have undergone rigorous background checks and training, routinely patrol” Google data centers.

Nabla employees do not have physical access to Google data centers, servers, network equipment, or storage.

Logical Access Control

Nabla is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Nabla operations team members have access to configure the infrastructure on an as-needed basis behind two-factor authentication. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Least Privilege Access Control

We follow the principle of least privilege with respect to identity and access management.

Quarterly Access Reviews

We perform quarterly access reviews of all team members with access to sensitive systems.

Password Requirements

All team members are required to adhere to a minimum set of password requirements and complexity for access.

Vendor and Risk Management

Annual Risk Assessments

We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.

Vendor Risk Management

Vendor risk is determined, and the appropriate vendor reviews are performed prior to authorizing a new vendor.

Vulnerability Disclosure

Anyone can report a vulnerability or security concern with a Nabla product. Please read our Vulnerability Disclosure Policy for more information.

Contact Us

If you have any questions, comments or concerns or if you wish to report a potential security issue, please contact security@nabla.com.

To learn more about Nabla security posture and see related documents, please visit our Trust Portal.