Security Manifesto Documentation
Introduction
Mobile2b is a modern cloud digitization platform that enables companies of all kinds to digitize their business processes at a previously unknown speed and intuitiveness.
Protecting business information and data is one of the primary goals of Mobile2b. Every new function is designed, developed and rolled out with constant consideration of security aspects.
In this IT Security Manifesto, we would like to show you how our security concept looks in detail and what measures we take to make Mobile2b one of the safest places to manage your data.
Cloud
Mobile2b is a modern cloud platform that can basically be used in three different ways.
Shared Cloud
The shared cloud is the standard variant, which most customers choose. We operate large server cluster on which several Mobile2b clients run in parallel. This enables very cost-efficient hosting. At the same time, strict software-side data separation is used, which also makes the Shared Cloud an ideal place for managing sensitive business data.
We have external data protection and security audits for the shared cloud carried out on a regular basis.
Dedicated Cloud
In contrast to the Shared cloud, in a Dedicated Cloud, several customers do not share the same server, but we provide a dedicated server environment for one customer. The customer can choose one of three hosters (GCP, Azure, AWS).
In keeping with a software-as-a-service approach, we also take over the entire management in a Dedicated Cloud, so that you don't have to worry about anything.
Private Cloud
On the basis of our system requirements, a Private Cloud can also be set up by a customer's internal IT. In this case, the management of the platform, i.e. monitoring, server updates, etc. is completely your responsibility.
As soon as the server cluster is up and running, we can use our CI / CD pipeline to automatically load it with the latest version of the Mobile2b platform. In this way, you always stay up-to-date even in a private cloud.
If you would like to build your own Private Cloud, but lack the resources and/or know-how, we will be happy to support you in the form of consulting services.
Here is an overview of the three cloud variants:
| Shared Cloud | Dedicated Cloud | Private Cloud | |
|---|---|---|---|
| Customers | Multiple customers share one system | Dedicated system for one customer | Own system in the customer's infrastructure |
| Resources (CPU, RAM) | Shared | Dedicated | Dedicated |
| Data Separation | Software | Physically | Physically |
| Cost | None (included in monthly service fee) | Starting at 950 €/month (depending on selected HSP) | Customer’s internal IT costs |
| Hosting Service Provider (HSP) | GCP (ISO/IEC 27001, C5:2020, SOC 2) | Optional of GCP, Azure, AWS | Customer’s own infrastructure (see system requirements) |
| HSP Certifications | GCP, AWS | GCP, AWS, Azure | - |
| HSP SLAs | GCP, AWS | GCP, AWS, Azure | - |
| Backups | S3 | S3 | - |
| Management | Mobile2b | Mobile2b | Customer’s IT |
Server location
In the event that you choose to operate Mobile2b in a shared or dedicated cloud, this means that the software and your data are processed on servers managed by us in specialized data centers.
We only use data centers located in Germany . These data centers also meet the highest security standards such as BSI C5 or ISO/IEC 27001. This does not only apply to the primary data centers, but also to our backup data centers.
In addition, we only use data centers that are fully GDPR-compliant and with which corresponding Data Processing Agreements (DPAs) have been agreed as subcontractors within the meaning of the GDPR.
A detailed overview can be found in our Technical and Organizational Measures (TOM).
Encryption
When encrypting data, a basic distinction is made between encryption during the transmission of data between (sub)systems ("In Transit") and encryption of data in the idle state, i.e. as stored files on a server ("At Rest").
In Transit encryption
Mobile2b only transmits encrypted data between subsystems. The TLS 1.2 encryption protocol is used here. Clients that try to query data using an unencrypted protocol are always automatically redirected to the encrypted protocol before any user data is exchanged.
Transmission within Google Cloud (GCP) is also exclusively encrypted.
At-rest encryption
Companies are concerned about the constant threat to "Data at Rest" from hackers. We use extensive security measures to ensure that no one can access, steal or modify this data without authorization. Photos and documents are fully encrypted with 256-bit AES encryption. This encrypted data is also stored in a separate storage cloud (AWS S3) that does not know the keys.
Databases are also encrypted at hardware level by our hosting partners. Database content is never analyzed by us or our hosting partners.
Since our application relies entirely on managed services such as GKE, the at-rest encryption by the hosting partner extends to the entire application,
Passwords and authentication
We take measures in the area of access control to prevent unauthorised persons from processing or using data protected by data protection laws. This includes:
- Passwords are stored exclusively as bcrypt hashes: no possibility to deduce from hash to password
- JWT with HS256 (HMAC with SHA-256)
- 2FA (OATH-TOTP)
- Possibility for SSO via Active Directory
- Rights and role concept
- Set up regularly updated antivirus and spyware filters
- Manage user permissions
Penetration tests
We regularly have penetration tests of all our subsystems carried out by external security experts. These so-called "ethical hackers" try to uncover possible weaknesses in the system by simulated attacks.
By using external experts, we also consistently eliminate a possible "developer bias" in IT security testing.
Backup and recovery
- Complete system backup once a day
- Backup retention 30 days
- Separate Backup data center
- Existing recovery process for customers with appropriate SLA
- Deletion block to prevent accidental deletion
Data deletion
When you stop using Mobile2b, you can submit a deletion request. We will then delete all of your clients' user data and create a detailed log. Without an explicit deletion request, a client's data is automatically deleted from all productive and backup systems after 90 days.
Separation rule
We ensure that data collected for different purposes are processed separately and are separated from other data and systems in such a way that unplanned use of these data for other purposes is excluded:
- Authorization concepts
- Encrypted storage of personal data
- Software-side customer separation (Shared Cloud), multi-tenancy of relevant applications
- Separation of productive and test environment
- Physical separation (systems / databases / data carriers)
- Control via authorization concepts
- Definition of database rights
- Data records are provided with purpose attributes
Securing the integrity
We ensure that stored personal data will not be damaged by malfunctions of the system:
- Installing new releases and patches with release/patch management
- Function test during installation and releases/patches
- Logging
- Overview, with which programs which data can be entered, changed or deleted
- Traceability of input, modification and deletion of data through individual user names
- Clear responsibilities for deletions (rights concept)
- Process for data recovery from backups
Rapid recoverability
We ensure the ability to quickly restore the availability of and access to personal information in the event of a physical or technical incident. This is done by:
- Data backup procedures
- Regular tests of the data recovery
- Emergency plans
We also attach great importance to ensuring that all system functions are available and that any malfunctions that occur are reported. The following measures contribute to this:
- Automatic monitoring with e-mail and mobile phone notification
- Emergency plans with responsibilities
- IT emergency service in shift operation
- Regular data recovery tests
Regular evaluation of the security of data processing
We rely on measures that ensure data protection compliant and secure processing:
- Our employees are trained and committed to confidentiality/data secrecy
- Regular sensitization of employees
- The organisation complies with the information obligations under Art. 13 and 14 GDPR
- Documentation of security incidents and data breaches, e.g. via ticket system
- Data protection management
- Formalized processes for data protection incidents
- Instructions of the client are documented
- Formalized order management
- Service level agreements for the implementation of controls
Privacy by Design
Privacy by Design is an important principle for us. We are committed to continuously improving the privacy features of our products to meet the high demands of our customers. Therefore, we are also aware of data protection regulations and take these into account by designing our software in compliance with data protection laws and by using data protection-friendly default settings.
From our point of view, data protection can best be complied with if it is already technically integrated when a data processing procedure is developed. In other words, we protect personal data in the sense of GDPR by taking technical and organisational measures at an early stage of development. Through data protection-friendly pre-settings, we also ensure that personal data is processed with the highest possible level of data protection. This includes, for example, limited storage periods (if you so wish) and limited access to data.
System architecture
If you are interested in a detailed insight into our system architecture, please contact us for an overview.
External services
Mobile2b is developed in such a way that the main functionality is mapped entirely within the platform itself. Your user data therefore never leaves our system. However, some functionalities are created with the help of external services, which are listed below. There are order processing contracts with all external services in accordance with the GDPR.
| External service | Purpose |
|---|---|
| Mailgun | Sending of emails |
| Firebase Cloud Messaging | Sending push notifications to Android devices |
| Apple Push Notification Service | Sending push notifications to iOS devices |
| reCAPTCHA Enterprise | Validation of user interactions, prevention of bots/fake users |
| Sentry | Error and exception logging and analysis |
Logs
Log files are automatically generated at various points in Mobile2b in order to continuously monitor the stability and security of the system. These logs never contain user data from our customers, but only system data (anonymized if necessary).
| Logs | Purpose | Retention |
|---|---|---|
| Application logs of the various microservices via filebeat (ELK stack) | Analysis of errors (exceptions) and monitoring of automated processes (cron jobs). Monitoring of administrator logins via OpenVPN. | Hot phase (14 days) + warm phase (7 days): 21 days in total |
| Application exceptions in Sentry | Errors (exceptions) of various system components (backend, frontend, iOS, Android) are also logged in Sentry | 90 days |
| System logs of the Kubernetes pods | Evaluation of CPU and memory usage via Grafana | Hot phase (14 days) + warm phase (7 days): 21 days in total |
| Infrastructure logs of the Kubernetes cluster | Monitoring of automated processes (scale-up, scale-down) and administrative interventions | Audit logs: 400 days Classic GKE logs: 30 days |
| Login events | Monitoring of login attempts in a MariaDB table. Information contained: Account ID, user ID, API key, IP address, user agent, authentication result, timestamp | Unlimited |
| Outgoing emails | Status monitoring (sent, bounced, etc.) | 5 days |
If you have any questions that are not addressed in this document, please do not hesitate to contact us at info@mobile2b.com.
