Information Security
Information Security
Article summary
Did you find this summary helpful?
Thank you for your feedback
This guide provides an overview of Yotpo's information security practices and protocols.
Server Security
- Yotpo servers can only be accessed from the VPC (Virtual Private Cloud).
- To gain server access, authorized employees must provide their SSH key and username.
- All SSH keys must be password-protected.
- The only employees who can access production servers are authorized members of Yotpo's Operations team, and when necessary, engineers who are granted access for a limited period in line with project duration.
- Server access is gained via Vault security system.
Network Security
- To access the network, authorized employees are required to provide their OPENVPN private key, username, and password.
- Full access to production servers is only granted to authorized members of Yotpo's Operation team. Developers and engineers may only gain limited access to production servers via Vault security.
- As Yotpo utilizes an Application Load Balancing ELB, load balancing endpoints with specific ports are the only publicly accessible endpoints in the Yotpo network.
- Each service type maintains a Security Group type which defines IP and port access.
- All traffic from ALBs to the outside world is conducted over SSL (supports Protocol-TLSv1.2, Protocol-TLSv1.1 and Protocol-TLSv1 protocols and is updated to AWS’s latest recommended protocol).
Application Security
- Yotpo uses OAuth2 authorization for application authentication.
- A process is executed daily to identify all expired tokens and invalidate them accordingly.
- For each token, we know which IP created it when and from what system (Widget/Admin).
Full System Encryption
- It comes to replace the only PII security and to leverage the cloud infrastructure used by Yotpo.
- Yotpo stores encryption keys in AWS/KMS.
- Yotpo encrypts all of its AWS storage using dedicated keys for each storage.
- Access to the KMS service configurations is granted exclusively to authorized members of Yotpo's Operations team.
- All backups are encrypted as well.
Data Security
- Yotpo allows only permitted and limited (2H) access to the “read-only no PI” databases of the system.
- Every query performed by Yotpo employees on the main database is logged.
Was this article helpful?