Security & Privacy Statement

Security & Privacy Statement

Information Security Statement

1. Background

Netacea manages the Bot Management platform which enables a customer to identify, understand and mitigate the effect of non-human traffic on their website.

References in this security statement to “customer’s managed websites” are to the customer’s websites for which Netacea provides the Bot Management service.

Bot Management utilises web access logs or other logs that describe activity on the managed website to perform the service.  These logs are transmitted by the customer to the Bot Management application for processing. Other than web logs which are stored by Netacea for the purposes explained below, Netacea does not store any other data transmitted through its network (such as payment card numbers, personal details or passwords).

Netacea takes the protection of its customers’ data seriously. It aims to operate to an industry best practice level of security as detailed in the below statement.  This statement sets out an overview of the following;

  • Netacea security policies (including internal and external validation of security standards)
  • Development, testing and deployment methodologies
  • Data management and security
  • Physical hosting environments
  • Scalability and reliability of system architecture
  • Ongoing internal and external validation of security standards

2. Security and Privacy Standards

GDPR

Netacea is committed to the security and the protection of its customers’ data.   All data collected by the Bot Management product is considered “Anonymous” and can’t lead to the identification of an individual either directly or indirectly.  The protection of personal data is governed primarily by the Data Protection Regulation (“GDPR”).  We are also committed to ensure that, as further guidance continues to emerge from data protection authorities, our processes and practices will comply with the new rules.  Section 7 details how Netacea manages personal data.

 

3. Data Centre Security

Bot Manager is hosted by Amazon Web Services (AWS), therefore physical security is handled in accordance with Amazon’s security controls.  Amazon has a robust security process with all data centres and services meeting multiple certifications including SSAE.  See http://aws.amazon.com/compliance for details of AWS’s policies on security and data protection.

 

4. Application Security

Bot Management is a cloud-based system.  All systems are hosted within the central Netacea network.

The network is protected by strict firewall rules to restrict internal and external traffic to only that which is necessary.

All data is encrypted in transit when sent over public networks using the latest TLS technology and cipher suites.

Bot Management Application

Bot Management exists within the Netacea cloud environment.  Customer data is segmented and isolated in transit and at rest.

Bot Management sits externally to the customer’s system and therefore does not have any access to any elements of a customer’s estate other than the endpoint where recommendations and mitigation data is delivered.

A common management, patching and upgrade policy is applied across all installations to ensure that all installations meet the same high security standards.

The Bot Management application is subject to security assessments as part of regular penetration testing.

Management Portal

Reporting, configuration and administration is managed via the ControlSight management portal.  Access to this portal is protected by strong password policies and requires multi-factor authentication.

All access and amendments are logged and monitored for exception by the Netacea support team.

The Management Portal application is subject to security assessments as part of regular penetration testing, and 24/7 monitoring to check for security vulnerabilities which is provided by a third-party provider. See section10 below for further information.

5. Availability

The Bot Management system has a High Availability (HA) architecture, and disaster recovery policies are in place.

As Bot Management is not operated in-line with customer systems, it is easily decoupled by the customer.  Cessation of service can be instigated by the customer by suspending log shipping to the Netacea network.

6. Third parties

All data is stored in Amazon Web Services in an appropriate region agreed with the customer.  Netacea does not transfer data between any AWS regions. See paragraph 3 above for a link to AWS’s policies on security and data protection.

 

Netacea does not share any personal data with third parties for the purposes of direct marketing.

7. Data Privacy and Management of Personal Data

Personal data stored by Netacea to provide the Bot Management service is limited to IP addresses.  IP addresses stored in the Netacea platform are encrypted and cannot be read while at rest by Netacea.

Customers wishing to query / validate IP address data can do so via the management console where IP data is decrypted and displayed in plain text.  The console is managed by customer administrators directly and cannot be accessed by anyone other than authorised users.

Web log data contains a standard data set associated with web logs including;

  • IP addresses which are stored in an encrypted format
  • User agent string
  • Time and date of access to the customer’s managed website
  • Path accessed on the website.

Log retention policy is managed as specified by the customer technical group for reporting purposes only and at their sole discretion. Typically, the need to retain this data is driven by the following commercial and technical factors:

  • Forensic investigation of functional or security incidents instigated by the customer or by Netacea or for customers own governance programs
  • Machine learning algorithms that analyse prior behaviour to build a profile of likely future behaviour over time
  • Management of customer web traffic including rules-based and near real time traffic flow management
  • Identifying factors for non-human traffic
  • Further identification and analysis of the non-human traffic.

 

Netacea processes such data on behalf of the customer for the sole purpose of providing the Bot Management service.  Netacea expressly warrants that customer data is not used for any other purposes or for any other commercial benefit to Netacea.

Netacea also stores and manages a shared intelligence repository of known threat IP addresses.  This list is derived from publicly available sources and from behavioural analysis of our network traffic.  Customers may choose to opt-in to the shared intelligence or opt-out.

Customers opting in to the shared intelligence service may see IP addresses processed by Netacea being identified as threat traffic and being added to this shared intelligence database.  Netacea do not store any other personal data and cannot identify individual data subjects from the IP data stored.

Customers who opt out of the shared intelligence service will not share any data with this service nor will they have access to the rules or data that constitutes this service.

Javascript browser fingerprinting is available to deploy on the managed website however this does not collect or store PII data and is an option for customers who wish to augment the standard product offering.

8. Data Subject Requests

Netacea can provide customers with data on individual IP addresses that have accessed the customer’s managed websites.  Netacea require the validated IP address in question and time of access to action the request as no other personal data is stored in relation to the IP address.  Requests should be made to support@netacea.com

9. Organisational and Administrative Security

Netacea has implemented internal policies and processes throughout the development lifecycle of its software products and into production to comply with industry best practice, with a view to ensuring that at all stages security risks are minimised and mitigated, including the following:

Operations

  • Access to production systems is restricted to job function and implemented on a principal of least authority.
  • All major changes go through a change review process requiring business, technical and security approval.
  • Audit logs are kept to provide system error tracking and warranty of the SLA
  • We maintain internal information security policies, and regularly review and update them.

Software Development

  • All developers receive training on mitigating vulnerabilities in the OWASP Top 10 and on handling sensitive data in memory.
  • Security input into system design and architecture as well as feature definition.
  • All code changes are peer reviewed, and controls are in place to help prevent security flaws from being introduced in any release.
  • All code is automatically analysed for OWASP Top 10 vulnerabilities as part of the standard build process.

10. Handling of Security Breaches

Security incidents are managed by the senior team, and a full incident management process is in place to handle any security breaches whether raised from an internal or external source.

The incident response plan is tested and validated annually to ensure that appropriate response and communication plans are in place.

Core to the security response process is assessing the impact of the issue and notifying any customers affected.

11. Security Validation

Netacea employs a robust set of processes to validate that expected levels of security are being maintained.  These include:

  • Dedicated security personnel to pro-actively monitor industry newsfeeds of known breaches and communicate any action needed to the business.
  • Regular vulnerability scans and enforcement of fixes of high-risk items until passing scans are completed. Vulnerability scanning takes place at least quarterly.  External vulnerability scanning is done by a third-party security company.
  • Systems are patched on at least a monthly basis. Required patches are pro-actively monitored outside of the vulnerability scanning process.
  • Regular internal and external penetration testing of the Bot Management application and network. Penetration testing is conducted by CREST and OSCP qualified personnel.  Bot Management systems are penetration tested upon any significant change to the application or network, and at least annually

Security Policy Review

This document is reviewed as required or at least annually as part of the annual security policy review.