This whitepaper defines DailyBot’s approach to security and compliance.
Security, privacy and compliance are very important for us and we work hard to make DailyBot secure. Protecting your data and your security is one of our top priorities and this paper outlines our approach to security and compliance and we also detail our technical measures to keep your data safe.
What is DailyBot?
DailyBot is a platform and chatbot built for team collaboration and productivity. The chatbot integrates into current messaging platforms like Slack, Hangouts Chat, Microsoft Teams and there is a web application that is supported by modern web browsers.
DailyBot can integrate with more tools via APIs and our data is securely hosted on our back-end services. Each connection made and handled by DailyBot is end-to-end encrypted over HTTPS.
Only you and the people you have in your organization (and you give permissions) have access to your data.
At DailyBot we have very restricted access controls for the live data and we apply industrial standards for data at rest.
We’re committed to having experienced engineers behind our technology and product. We make sure the team that builds, maintains, operates and oversees the system has the right qualification and follows our standards.
Even though we’re a small team, we are very strict about hiring the right people. In addition, every employee and contractor is subject to our background checks.
Once we integrate new team members, they must learn DailyBot’s security policies and go through training sessions about security awareness, covering from how to write safe code to manage data, security and customer privacy.
Physical and Network Security
DailyBot’s servers, databases and artifacts are securely hosted on Amazon AWS in the U.S. All of our users’ data is being processed in the U.S.
AWS certifies their physical security with comprehensive compliance and controls, including allowing physical access to personnel with a validated business need, logged and monitored access, electronic surveillance and professional security personnel at all data center entry points. AWS is accredited against multiple security industry certifications including ISO27001. More details are available from the AWS website.
Each and every connection made to DailyBot is end-to-end encrypted over HTTPS, using TLS 1.2.
DailyBot forces HTTPS for all services, including our public website. Our Enterprise customers data is stored in containers encrypted with AES256 (a 256-bit Advanced Encryption Standard) in multiple physical locations within the United States.
Privacy and Trust
We have procedures to limit access to sensitive information and systems only to the necessary staff. Each person with access must comply with secure two-factor authentication and has individual credentials, we also require to connect through our secure VPNs before connecting to any system piece.
DailyBot’s providers must be as secure as our own platform. We use a certified partner to handle payments processing and all credit card information, and we never store any credit card information, our providers comply with PCI-DSS.
Our payment processor is Stripe, certified to PCI Service Provider Level 1; and Paddle, PCI DSS SAQ A Compliant, which is the most serious level of certification in the payment industry.
These are some of our key practices in security.
Our team members, employees and contractors have access to our system with our role-based permission system. Each user has unique credentials (username and password). We deny by default and we add privileges only to those that require access.
Our staff uses multi-factor authentication to access our key systems.
We put a strong focus on our change management practices. Source code is reviewed by peers and managers, automated alerts are sent when code is pushed to any branch in our repositories. Our infrastructure as code lets us track any change to our production systems with total accountability and production releases require pull requests and sign-off by technical managers.
We use Continuous Integration tools to run automated tests and deploy to our pre-production environments. In addition to our automated tests, our team runs manual additional tests to make sure that everything is working properly. Once our code is approved, a senior member of our team releases it to production through automated systems that support rolling deploys and rollbacks.
We monitor every release and keep a log of our releases, scope and risks.
DailyBot’s systems are built on top of Amazon Web Services (AWS).
We take advantage of AWS security services for network and applications, those services provide us with vulnerability scanning, monitoring, alerting, configuration and intrusion detection. We use CloudWatch to log application usage and exceptions, in addition we use our own privately hosted Sentry instance to track application runtime errors.
We use CloudFlare as DNS and Firewall and we have enabled mechanisms to protect our platform for activity like DDoS attacks, malicious bots and other nefarious intrusions.
DailyBot's uses AWS and other tools to scan for network vulnerabilities. We check daily against published security notices and patches required. We use release planning and change management.
Any security issue of high priority for us. In compliance with GDPR and regulations, we will inform all customers affected by an incident as soon as possible, in a period no longer than 72 hours.
Backups and redundancy
Our automatic backups are part of our practices and built-in into our different services. Our data is backed up and stored encrypted. Our runtime servers have redundancy so that if a server fails, another can take over the work automatically and instantaneously. In case of a natural disaster, if we lose a data center facility (i.e. from AWS), we can get back to operation in a period of 3 days.
About our Vendors
We work with third-party providers that comply with our security standards and they are evaluated regularly. Whenever we consider working with a vendor, we make sure that their security is the same or better than our own.
Security inside our Application
DailyBot Access and Control
Any DailyBot organization and user is the owner of its project and data. They have the control to invite, allow, disallow access to their organizations at any time. All users are encouraged to use oAuth, and it's also possible to use email/password, Enterprise plans can optionally enable the 2FA for extra security. No customer or user keys or passwords are stored in the clear.
Our backend services make sure that the data remains confidential. By design, our services take care of multi-tenancy and guarantee that only owners of data can see their own data.
Our software development process requires developers to have sandboxed test environments that use their own test data. It's never possible to use production keys or data for local tests. At DailyBot we take code reviews very seriously in order to check changes and guarantee our application security. Every feature and release requires pull requests that are reviewed and approved by senior staff.
DailyBot's stack runs on AWS with micro-services, lambda functions and our backend is totally separated from the client applications that are written on VueJS. Our backend uses a combination of Python3 and NodeJS, we continuously upgrade versions and do maintenance to our stack. We regularly talk about security in our internal sessions and offer training to our team regarding secure software development practices.