Security and compliance are top priorities for Nabla because they are fundamental to your experience with the product. Nabla is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.
Nabla uses a variety of industry-standard technologies, services and processes to secure your data from unauthorized access, disclosure, use, and loss.
Information security program
We have an Information Security Program in place that is communicated throughout the organization. Our Information Security Program follows the criteria set forth by the SOC 2 and ISO 27001 frameworks. We are currently in the process of obtaining formal certifications for both frameworks.
Our organization undergoes independent third-party assessments to test our security and compliance controls.
Third-Party Penetration Testing
We perform an independent third-party penetration at least annually to ensure that the security posture of our services is uncompromised.
Unusual network patterns or suspicious behavior are among Nabla’s most significant concerns for infrastructure hosting and management. Google Cloud Platform’s intrusion detection system (IDS) relies on signature-based security to identify traffic patterns that are similar to known attack methods.
Nabla does not provide direct access to security event forensics but does provide access to the engineering and customer support teams during and after any unscheduled downtime.
Roles and Responsibilities
Roles and responsibilities related to our Information Security Program and the protection of our customer’s data are well defined and documented. Our team members are required to review and accept all the security policies.
Security Awareness Training
Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work.
At Nabla, we believe that good security practices start with our own team, so we go out of our way to protect against internal threats and local vulnerabilities. All company-provided workstations are enrolled in Mobile Device Management (MDM) to enforce security settings including full-disk encryption, screen lock, and strong password policy.
Cloud Infrastructure Security
All our services are hosted with Google Cloud Platform. They employ a robust security program with multiple certifications. For more information on our provider’s security processes, please visit GCP Security.
Data Hosting Security
All our data is hosted on Google Cloud Platform databases and storage buckets. These databases are located in the region you choose when you create your organization.
Encryption at Rest
All data is encrypted at rest using AES-256. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, if an intruder were ever able to access any of the physical storage devices, the Nabla data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.
Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.
Encryption in Transit
Nabla exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application and APIs.
We perform vulnerability scanning and actively monitor for threats.
Logging and Monitoring
We actively monitor and log various cloud services.
Every part of the Nabla service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Business Continuity and Disaster Recovery
Nabla keeps encrypted backups of data in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups.
We utilize monitoring services to alert the team in the event of any failures affecting users.
We have a process for handling information security events which includes escalation procedures, rapid mitigation and communication.
Physical Access Control
Nabla is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as:
- Custom-designed electronic access cards
- Vehicle access barriers
- Perimeter fencing
- Metal detectors
According to the Google Security Whitepaper: Google data centers also implement “security measures such as laser beam intrusion detection and 24/7 monitoring by high-resolution interior and exterior cameras” to detect and track intruders. In addition, “access logs, activity records, and camera footage are available in case an incident occurs” and “experienced security guards, who have undergone rigorous background checks and training, routinely patrol” Google data centers.
Nabla employees do not have physical access to Google data centers, servers, network equipment, or storage.
Logical Access Control
Nabla is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Nabla operations team members have access to configure the infrastructure on an as-needed basis behind two-factor authentication. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.
Least Privilege Access Control
We follow the principle of least privilege with respect to identity and access management.
Quarterly Access Reviews
We perform quarterly access reviews of all team members with access to sensitive systems.
All team members are required to adhere to a minimum set of password requirements and complexity for access.
Vendor and Risk Management
Annual Risk Assessments
We undergo at least annual risk assessments to identify any potential threats, including considerations for fraud.
Vendor Risk Management
Vendor risk is determined, and the appropriate vendor reviews are performed prior to authorizing a new vendor.
Anyone can report a vulnerability or security concern with a Nabla product. Please read our Vulnerability Disclosure Policy for more information.
If you have any questions, comments or concerns or if you wish to report a potential security issue, please contact email@example.com.