Gauges is a real time Web analytics software. This Page gives an overview of application performance and how security is designed into the Gauges software. Gauges host it services on Heroku which is a network isolated, dedicated runtime environments for enhanced privacy, power, and performance. This infrastructure provides secure integration of clients accounts, secure storage of data with end-user privacy safeguards, secure encryption of passwords and two-factor authentication, secure and private communication with customers, and safe operation by administrators.
We will describe the security of this application in progressive layers starting from the physical and network security, continuing on to how the hardware and software that underlie the infrastructure are secured, and finally, describing the technical constraints and processes in place to support the performance of the application.
Commitment to Privacy
As Client service agencies rely more heavily on the data, they need to have confidence in the capabilities, reliability, and security of this software. Gauges applies security best practices and manages platform security so customers can focus on their marketing strategies.
Gauges invests heavily in securing its infrastructure with expert engineers dedicated to security and privacy distributed across all of Gauges.
Gauges works hard to earn and keep the trust of their customers, and so, we want you to be aware of our commitments in each area.
Gauges’s computing platform assumes ongoing hardware failure, and it uses robust software failover to withstand disruption. All Gauges systems are inherently redundant by design, and each subsystem is not dependent on any particular physical or logical server for ongoing operation. Data is replicated multiple times across Heroku dynos(third party) so that, in the case of a machine failure, data will still be accessible through another system. We also replicate data to secondary data centers in different seismic and geographic zones to ensure protection from data center failures.
Gauges’s services are designed to scale to hundreds of thousands of users. We run multiple different performance tests, including load testing our applications under high load over a long period, to observe effects on factors, such as memory use and response time. Gauges also performs stress testing to examine system performance in unusual situations, including system functional testing while under unusually heavy loads, heavy repetition of certain actions or inputs, or input of large numerical values and large, complex queries to a database system.
We do everything in our power to protect agencies from attempts to compromise their data. We vigorously resist any unlawful attempt to access or block access to our customers’ data, whether it be from a hacker or any malicious software. Whether it is an integration or client’s contact, Gauges does not own that data.
That means two key things:
- We use your information for the purposes specified in the policy, such as delivering you the service for which you pay.
- You have control over your data. We provide you with options to delete and export your data so that you can take your data with you at any time.
Gauges servers can be accessed only via HTTPS using Comodo SSL Certificate. We use industry-standard encryption for data traversing to and from the application servers.
All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.
All POST requests are checked for CSRF token before processing the request.
Gauges interacts with a database through ActiveRecord. The default and convenient Object Relational Mapping (ORM) layer which provides abstraction, safety and allow developers to avoid manually building SQL queries.
Gauges also uses Brakeman which is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
ENCRYPTED DATA STORAGE
Gauges does not store any sensitive details on it’s network. We store sensitive details in our database in an encrypted form.
Physical and Network Security
We use Cloudflare for increasing internet pressures. Cloudflare is a web performance and security company. Cloudflare’s WAF, DDoS protection, and SSL defend website owners and their visitors from all types of online threats.
1. CLOUDFLARE WAF
Cloudflare’s enterprise-grade web application firewall (WAF) detects and block common application layer vulnerabilities at the network edge, utilizing the OWASP Top 10, application-specific and custom rulesets. It has two-factor authentication so that the accounts get an added layer of login security, ultimately adding another layer of security to our website.
2. CLOUDFLARE IPF
Cloudflare IP Firewall avoids the most common security attacks which run over a public network, such as the Internet.
3. CLOUDFLARE RATE LIMITING
Rate Limiting protects critical resources by providing fine-grained control to block or qualify visitors with suspicious request rates.
4. CLOUDFLARE DDoS MITIGATION
DDos Mitigation resists the impact of distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the applications, websites, and APIs from malicious traffic targeting network and application layers and maintains the performance and availability.
Ensuring the availability of Gauges application is just as important as protecting them from malicious requests. We have a dedicated team working 24/7 for application monitoring. We use both internal and multiple external monitoring services to monitor Gauges. Our monitoring system will alert our team through emails and phone calls if there are any errors or abnormality in the request pattern. We take utmost care in picking the right external tools and here are the four tools which are woven together to monitor Gauges application 24 hours.
Gauges uses Scout which is a Rails monitoring app for serving: the performance metrics, a layer of analysis, and a generous helping of workflow improvements. These features reduce the stress on us in identifying the root cause of Rails app performance woes.
Gauges uses Rollbar which is a real-time, full-stack error monitoring and debugging tool for developers used to monitor the impact of our code changes and measures the performance, track errors and analyze our application. It integrates with GitHub to link stack traces to the underlying source code, correlate exceptions to code changes, and create GitHub issues allowing us to manage errors in the existing workflow.
Gauges uses Instrumental for sending metrics and building graphs to monitoring servers and services. It serves us,
- System & Service Monitoring
- Application Monitoring
Gauges uses Librato for monitoring and understanding the metrics that impact the software at all levels of the stack.
Vulnerability scanning and audits
Third party security testing of the Heroku application is performed by independent and reputable security consulting firms. Findings from each assessment are reviewed by the assessors, risk ranked and assigned to the responsible team.
Gauges undergoes penetration tests, vulnerability assessments, and source code reviews to assess the security of the application, architecture, and implementation. Our third-party security assessments cover all areas of our platform including testing for OWASP Top 10 web application vulnerabilities and customer application isolation. Gauges works closely with external security assessors to review the security of the platform and applications and applies the best practices. We also hold open bug bounty programs which allows the security researchers, report a vulnerability on Gauges application as long as the vulnerability is discovered without using intrusive testing techniques.
Gauges is committed to complying with the strictest data protection frameworks and laws. The EU GDPR regulations strengthen the rights that individuals have regarding personal data relating to them and seeks to unify data protection laws across the world, regardless of where that data is processed.
You can count on the fact that Gauges is committed to GDPR compliance across its products. We are also committed to helping our customers with their GDPR compliance journey by providing them with the robust privacy and security protections we have built into our product over the years. As of writing, this document Gauges is working aggressively to ensure its GDPR compliance. Gauges also wishes to comply with EU-US Privacy Shield and is working towards ensuring compliance. The document will be updated accordingly for these line items.
Gauges offers a 99.99% app uptime and 99.99% API uptime. Furthermore, Gauges hardly has downtime or maintenance windows. To minimize service interruption due to hardware failures, natural disasters or other incidents, Gauges, takes the data backup and save in a different server in a different and highly redundant availability zone. In case our server downs, we spin the server in an hour.
Employee Screening and Policies
As a condition of employment, all Gauges employees undergo pre-employment background checks and agree to company policies including security and acceptable use policies.
We are working continuously to make our system secure. If you find any security issues, please submit it to firstname.lastname@example.org We take security as our highest priority. We will make sure the issue is fixed and updated at the earliest.