Your security is Gemoo’s top priority. You entrust us with your most valuable data, so we are doing our best to keep your data safe. Here’s a quick look at our internal security policies and practices to build a platform that’s secure. Thank you for choosing Gemoo and for your trust.
Gemoo uses Amazon Web Services (AWS) data centers for hosting, and leverages multiple availability zones to store customer data redundantly. AWS data centers are monitored by 24×7 security, biometric scanning, video surveillance, and are continuously certified across a variety of global security and compliance frameworks. For more information on AWS security practices, please check AWS security page.
Inside our Amazon AWS infrastructure, we segment our network into different areas, decoupling our production environments from our testing and development environments.
Gemoo's infrastructure is built on top of Amazon AWS, and we use their services to generate daily backups for our database that are then retained for up to 30 days. To ensure the data recovery process is working as intended, we execute data recovery exercises on a regular basis.
We use Amazon AWS Cloudtrail to monitor any suspicious activity within our backend systems.
To ensure that changes potentially affecting the security of the infrastructure are quickly detected, Gemoo Security Team has developed an automated solution that would create alerts in the ticketing system for review.
We use a next-gen web application firewall solution in blocking mode as the first line of defense in front of all customer-facing web traffic, to block content-based dynamic attacks.
We use different Amazon AWS services, such as AuroraDB and S3, which we configured to use AES-256 encryption for all data at rest.
●All communications with Gemoo servers are done over TLS. We do this so that no one can eavesdrop on the communication between your machine and our application.
●To ensure maximum protection for every user, we have added our domain to the HTST Preload list, which will ensure browsers do not connect to our application if it is not over HTTPS.
●At Gemoo, all code is peer-reviewed before being deployed to production, and all code is double-checked before release. Our developers inspect the logic and information flows of each new feature to ensure that no security vulnerabilities are introduced.
●As humans aren't perfect, we also write tests to ensure the application does not behave in an unexpected way.
●We also run Burp Suite, a semi-automatic scanning tool, for new features to find any security problems.
We support our secure software development lifecycle with tools that automatically detect code changes against security best practices. Gemoo Security Team reviews all code changes flagged as potential risks, keeps track of open issues, and communicates with engineers to share security-related knowledge and best practices on a daily basis.
●To highlight potential security risks as early as possible, all architectural plans are reviewed by Gemoo Security Team.
●Gemoo Security Team also partner with the engineering team to execute threat-modeling exercises on a case-by-case basis.
●Gemoo Security Team and engineers interact on a daily basis to share security mindset, best practices, and efficient tools.
All Gemoo web application communications are encrypted over 256 bit SSL, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
We have detailed user activity logging, including but not limited to security-related events like login, password change, content creation/deletion/editing/sharing, privacy settings, and access permission changes at the application level.
Gemoo supports a range of authentication methods, such as JWT, OAuth, and Password base. Passwords are never stored in plaintext.
Gemoo also allows you to restrict access to shared files with a password or with an email account.
Gemoo personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. All employees at Gemoo are required to participate in helping secure our customer data and company assets.
Access to customer data is limited to certain authorized employees who require it for their job and any data access is logged.
We maintain and regularly update an internal Threat Model of our infrastructure, assets, and application. We define the type of data and risk that each component is exposed to and how we protect these. This helps us in segregating our infrastructure and maintaining a minimum access policy approach.
We perform periodic risk analysis and assessments to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.
As all Gemoo applications and customer data reside only in Amazon AWS infrastructure, AWS security certification compliance applies. Amazon AWS is certified with the following certificates, among others:
●ISO 27001: Information Security Management Systems (ISMS)
●ISO 27017: Cloud-specific security control guidance
●ISO 27018: Protection of Personally Identifiable Information (PII) in public clouds
●ISO 9001: Quality management systems
●PCI DSS 3.2
●All of Amazon’s AWS services are GDPR ready.
For more information, please check https://aws.amazon.com/compliance/.