Security Whitepaper

Effective date: July 20th, 2019

You can find a high-level overview of our Privacy and Terms of Service here.

Our Mission

Technology has transformed retail over the past decade. It’s moved from a product-centric to a consumer-centric world: consumers want to form a relationship and the products they buy are extensions of who they are.


At Cerebra Technologies, Inc. (Cerebra), we are driven by the values and the mission of the brands we work side-by-side with to help solve one of their biggest challenges - building brand trust and customer loyalty.


We place a strong emphasis on making sure that our values and incentives are aligned with the brands we work with. We don’t sell customer and purchasing data. On this end, we understand brands highly value their customer data and at Cerebra, we design platforms and applications to meet these a high bar of security requirements as well as exceed relevant industry security protocols and standards. We're committed to being transparent about our security practices and helping you understand our approach.

People Security

All Cerebra employees are required to understand and follow internal policies and standards. Background checks are performed to screen all employees. Security training is mandated as part of the onboarding process. Topics covered include device security, acceptable use, preventing spyware/malware, physical security, data privacy, account management, and incident reporting, among others.


Application Security

Secure Software Development Lifecycle

Best practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Cerebra source code repositories requires strong credentials and two-factor authentication.

Secure by Design

All features are reviewed by a team of engineers as soon as they are conceived. Members of the Cerebra team have substantial experience working with and building secure technology systems. We believe in making every feature “secure by design”, hence we plan all functionalities with security in mind to protect the platform against security threats and privacy abuses.


We leverage modern browser protections, such as Content Security Policy (CSP) and security HTTP headers to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.

Security Testing

Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies to independently verify our applications.

Authentication

Cerebra allows users to login with Shopify accounts using OAuth 2.0, the industry standard for authorizing secure access to external apps without exposing their account credentials. Cerebra does not receive or store user passwords when using OAuth. We implement the most secure version of the OAuth 2.0 authorization code grant to mitigate attacks that could leak the user's access token. Both access tokens and refresh tokens are encrypted at rest using AES-128 encryption.


This login feature has been extensively tested against common OAuth attacks including but not limited to Cross-Site Request Forgery (CSRF) and misconfigurations of the redirect url by an independent security testing company.


Cerebra encrypts Microsoft Exchange credentials at rest using AES-128 encryption and in transit using Secure Sockets Layer (SSL)/Transport Layer Security (TLS 1.2). Credentials are only accessed when communicating with the customer's Microsoft Exchange server using Microsoft's Exchange Web Services API. Users can revoke access from Cerebra at any time and request all their data in Cerebra to be deleted.

Network Security

Encryption in transit

To protect data in transit between Cerebra's apps and our servers, Cerebra uses SSL/TLS during data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. SSL/TLS is further used to encrypt the traffic between Cerebra servers and Cerebra databases within the same data center. Cerebra monitors the changing cryptographic landscape and upgrades its cipher suite settings as the risks change.


In our web application, we flag all authentication cookies as Secure and enable HTTP Strict Transport Security (HSTS) with "includeSubDomains" and "preload" enabled. Our web domain is included in the HSTS Preload list for all major browsers which is maintained at https://hstspreload.org/ Together with SSL/TLS and Cerebra public certificates, HSTS protects against man-in-the-middle attacks and ensures that Cerebra apps only communicate with Cerebra servers.

Network Isolation

Cerebra divides its systems into separate networks using logically isolated Virtual Private Clouds in GCP data centers. This setup protects sensitive data by providing isolation between machines in different trust zones. Systems supporting testing and development activities are hosted in a separate network from systems supporting Cerebra's production website. Customer data only exists and is only permitted to exist in Cerebra's production network, its most tightly controlled network.


Network access to Cerebra's production environment from open, public networks (the Internet) is significantly restricted. Only network protocols essential for making Cerebra's service work are open at Cerebra's perimeter. All network access between production hosts is restricted using security groups to only allow authorized services to interact in the production network.


Our infrastructure and applications are monitored using standard health checks and log watchers. This helps detect systems that are malfunctioning as well as potential intrusions. Our on-call engineering team is responsible for investigating and addressing issues as they emerge.



Physical Security

Data center security

Cerebra leverages Google Cloud Platform (GCP) data centers for all production systems and customer data. GCP offers state-of-the-art physical protection for the servers and complies with an impressive array of standards. For more information on GCP Data Center Physical Security, see the GCP Security Whitepaper.

Office and Digital Equipment Security

A set of policies and procedures have been implemented to address the security posture of our workstations and laptops. All employee computers comply with these standards for device security. We require computers to have strong passwords, full disk encryption and automatic lock when idle.



Data Security

We are committed to the goals of confidentiality, integrity, and privacy of our customer data by employing a multifaceted approach to data security.

Encryption at rest

All data at rest in Cerebra's production network is encrypted using 256-bit Advanced Encryption Standard (AES). Cerebra leverages Google Cloud Key Management Service (KMS) to manage encryption keys. Keys are never stored on disk, but are delivered at process start time and retained only in memory while in use. The most sensitive customer data such as transaction data, contracts, and access tokens are further encrypted in our database and in-memory storages such that the plaintext never exists on Cerebra databases at any point in time. To ensure the security of our database, encryption keys are rotated regularly.


While analyzing the data, the transaction-level data is fully anonymized and aggregated so as to ensure that the transactions cannot be linked to any customer. This ensures that we can continue to deliver immense value while fully respecting the integrity of your data.

Employee Access to Customer Data

No customer data persists on employee laptops. We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, all actions taken by the authorized employee are logged. Upon termination of work at Cerebra, all access to Cerebra systems is immediately revoked.

Audit Trails

All actions taken to make changes to the infrastructure or to access customer data for specific business needs are logged for auditing purposes. In order to protect end user privacy and security, only a small number of engineers on the infrastructure team have direct access to production servers and databases.

Employee Authentication

Every Cerebra employee is provided with a secure password manager account and is required to use it to generate, store, and enter unique and complex passwords. The use of a password manager helps avoid password reuse, phishing, and other behaviors that reduce security. All access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords, passphrase-protected SSH keys, a Virtual Private Network (VPN), and two-factor authentication is used to shield mission critical systems.

Server Hardening

Servers deployed to production, as well as bastion hosts used to access production servers, are hardened by disabling unnecessary and potentially insecure services, removing default passwords, and applying Cerebra's custom configuration settings before use. We setup our systems following the Center for Internet Security (CIS) Benchmark recommendations. CIS Benchmarks are consensus-based configuration guidelines developed by experts in US government, business, industry, and academia to help organizations assess and improve security.

Privacy features

Cerebra is built upon being able to store all the user generated content that exists on different social channels like Instagram, Facebook, and all review systems. A set of administrators are given access to upload, sync and moderate this content.


The administrators can choose to which particular set of reviews and photos you allow to be shown on the widget. The API that powers the widget is read-only and does not allow any malicious third party to access your protected customer data.



Legal

Compliance

Compliance with applicable regulations, standards and industry best practices protect us and our customers' sensitive information in ways that are testable and verifiable.


Cerebra is hosted in Google Cloud data centers, which are highly scalable, secure, and reliable. GCP complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001 and PCI DSS. More information can be found here.

Disaster Recovery and Business Continuity

Cerebra customer data is regularly backed up each day to guard against data loss scenarios. All backups are encrypted both in transit and at rest using strong industry encryption techniques. All backups are also geographically distributed to maintain redundancy in the event of a natural disaster or a location-specific failure. Cerebra uses third-party monitoring services to track availability, with engineers on call to address any outages.


Cerebra is setup to operate from geographically distributed locations. By leveraging cloud resources, Cerebra infrastructure and customer support teams can support your business at any time.

Contacting the company

We take security seriously at Cerebra. Customers using our service expect their data to be secure and confidential. Safeguarding this data is a critical responsibility we have, and we work hard to maintain that trust.


If after reading this whitepaper you have any further questions, please don't hesitate to contact support@cerebra.tech.