- SOC 2 Type I
- SOC 2 Type II
- PCI DSS (SAQ - A)
Access Control Management
All access to fabric infrastructure is based on RBAC and the principle of least privilege. We manage access control logging at the user level for console and CLI actions. This log allows us to trace code-level commits and offers traceable and auditable protocols for code-level commits, along with actions to manage code between environments. Additionally, all access to the fabric AWS environment is only provided through Multi-Factor Authentication (MFA). fabric leverages industry recognized hashing, encryption and salting mechanisms to protect all credentials stored in the environment. To secure user credentials, TLS is used to encrypt the requests and responses throughout the login process and credential information is encrypted at rest using server side encryption. Credentials are verified by the comparison of a salted hash of the password using a high-computational effort hashing algorithm (such as bcrypt) against a persisted value and calls to the login API are rate limited to protect against brute force attacks. User account is disabled after 10 unsuccessful login attempts. Logged in users are provided with a JSON Web Token that proves the user’s identity and contains claims that will be used to authorize subsequent requests. The token is signed with fabric’s private key as described in RFC 7519, allowing the integrity of the token to be evaluated by receiving systems.Data and Asset Protection
fabric leverages security tools, processes and cloud native services to protect the infrastructure, including:- DDOS protection
- WAF protection
- Bot configuration and IP whitelisting
- Performing Static Application Security Testing (SAST) through tools integrated into the CI/ CD pipeline
- Code reviews to protect against OWASP Top 10 vulnerabilities and more
- EDR (Endpoint Detection and Response) tool for user workstations and cloud instances
- Store all customer-related information on secure cloud accounts
- Only allow SRE personnel to grant access to cloud accounts and all digital data
- Deploy the Storefront with a dedicated managed database as a VPC (Virtual Private Cloud)
- Employ secure, multi-zonal replication and encryption of data
- Protect data transfer with SSE (Server-Side Encryption)
- Retain data only for a month after the end of the contract
- Accept a request from you to delete your data
- Only work with third parties who meet our security and insurance conditions
Incident Response Management
We actively monitor all logs, reports, and alerts to detect threats. Our incident response team is available 24/7/365 on an on-call schedule for global coverage. In case of an incident, the SRE team recreates or verifies the suspected issue. Then, we bring the appropriate resources together to address the incident. Our standard priority-based incident response SLA is provided below. Here, P1 refers to the highest priority and P4 the lowest.- First email response within 30 minutes
- Follow up responses every hour until the issue is resolved
- SLA: as soon as possible
- Report issue by phone
- First email response within 30 minutes
- Second follow up response within 6 hours
- SLA: 2-3 business days
- Report issue by email only
- First email response within 30 minutes
- Second follow up response within business 2-3 days
- SLA: 5-7 business days
- Report issue by email only
Vulnerability Assessment
fabric’s continuous vulnerability management program consists of two pillars:- Deep integration into fabric’s CI/CD Pipeline
- Scheduled vulnerability scans of deployed code