Security and Compliance

We use an SRE (Site Reliability Engineering) team to manage, maintain, and operate our security policies and procedures. We also utilize secure engineering and quality assurance practices to ensure ongoing security compliance.

fabric’s core product is hosted on Amazon Web Services (AWS) cloud infrastructure that supports security standards and compliance certifications which could help our customers satisfy compliance requirements for virtually every regulatory agency around the globe. Additionally, fabric holds following compliance certifications / attestations and self assessment questionnaires:

• SOC 2 Type I
• SOC 2 Type II
• PCI DSS (SAQ - A)

fabric does not process / store credit card information directly. Instead, third party payment gateways (PCI compliant) are used to handle payment transactions. We can supply certificates, insurance policies, and security playbooks on request.

​

Access Control Management

All access to fabric infrastructure is based on RBAC and the principle of least privilege. We manage access control logging at the user level for console and CLI actions. This log allows us to trace code-level commits and offers traceable and auditable protocols for code-level commits, along with actions to manage code between environments. Additionally, all access to the fabric AWS environment is only provided through Multi-Factor Authentication (MFA).

fabric leverages industry recognized hashing, encryption and salting mechanisms to protect all credentials stored in the environment. To secure user credentials, TLS is used to encrypt the requests and responses throughout the login process and credential information is encrypted at rest using server side encryption. Credentials are verified by the comparison of a salted hash of the password using a high-computational effort hashing algorithm (eg bcrypt) against a persisted value and calls to the login API are rate limited to protect against brute force attacks. User account is disabled after 10 unsuccessful login attempts.

Logged in users are provided with a JSON Web Token that proves the user’s identity and contains claims that will be used to authorize subsequent requests. The token is signed with fabric’s private key as described in RFC 7519, allowing the integrity of the token to be evaluated by receiving systems.

​

Data and Asset Protection

fabric leverages security tools, processes and cloud native services to protect the infrastructure, including:

• DDOS protection
• WAF protection
• Bot configuration and IP whitelisting
• Performing Static Application Security Testing (SAST) through tools integrated into the CI/ CD pipeline
• Code reviews to protect against OWASP Top 10 vulnerabilities and more
• EDR (Endpoint Detection and Response) tool for user workstations and cloud instances

The SRE team at fabric has a data loss recovery plan for all systems in place. In addition to this, we:

• Store all customer-related information on secure cloud accounts
• Only allow SRE personnel to grant access to the cloud accounts and all digital data
• Deploy the Storefront with a dedicated managed database as a VPC (Virtual Private Cloud)
• Employ secure, multi-zonal replication and encryption of data
• Protect data transfer with SSE (Server-Side Encryption)
• Retain data only for a month after the end of the contract
• Accept a request from you to delete your data
• Only work with third parties who meet our security and insurance conditions

​

Incident Response Management

We actively monitor all logs, reports, and alerts to detect threats. Our incident response team is available 24/7/365 on an on-call schedule for global coverage. In case of an incident, the SRE team recreates or verifies the suspected issue. Then, we bring the appropriate resources together to address the incident.

Our standard priority-based incident response SLA is provided below. Here, P1 refers to the highest priority and P4 the lowest.

• First email response within 30 minutes
• Follow up responses every hour until the issue is resolved
• SLA: as soon as possible
• Report issue by phone
• First email response within 30 minutes
• Second follow up response within 6 hours
• SLA: 2-3 business days
• Report issue by email only
• First email response within 30 minutes
• Second follow up response within business 2-3 days
• SLA: 5-7 business days
• Report issue by email only

This policy may be customized at your request as part of the MSA and onboarding process.

​

Vulnerability Assessment

fabric’s continuous vulnerability management program consists of two pillars:

• Deep integration into fabric’s CI/CD Pipeline
• Scheduled vulnerability scans of deployed code

We create and run automated security unit tests on each code change before the deployment. To identify vulnerabilities, we also perform a security scan every four weeks. We rate vulnerabilities as critical, high, medium, and low. Critical and high vulnerabilities are acted upon within 3 to 7 days, medium within 14 days, and low within 30 days.

Periodic secure coding audits and external penetration tests follow the security scan. During the security review, a trained reviewer analyzes the code for potential security flaws. The analysis is based on standards of the OWASP Security Knowledge Framework.