Security practices

With the aim of being transparent and meeting our customer’s needs for security, we share the security practices we implement at AB Tasty through this policy. You will also find our answers to the most frequently asked questions about security here.

Summary

AB Tasty is 27001 certified, meeting international standards for information security management

Learn more
Download certifcate
ISO 27001 Certification

AB Tasty is SOC II compliant. We maintain a high level of information security, ensuring sensitive information is handled responsibly.

Confidentiality

Data Access

Access management

We apply the principle of least privilege, which means that only a limited number of people can access our customers’ data. These people are identified by name and a trace of their access is systematically kept.

Access to customer data is only permitted when required for the maintenance of our services or for customer support purposes.
Furthermore, the access rights granted are updated and regularly reviewed and all our staff are subject to a confidentiality clause.

Preservation

Data is automatically purged 25 months after collection. Today, it is not possible to customise the retention period directly in the solution.

Removal

At the end of the contracts, we automatically delete the user accounts from our platform and put the campaigns on hold.

You have the option of requesting the removal of data at bounty@abtasty.com.

Recovery

AB Tasty’s solution offers you the possibility to retrieve data from your test campaigns yourself at any time via its .csv data export feature.

Authentification

Our users have several possibilities to authenticate themselves on our platform:

Simple authentication

The user authenticates using a login/password combination.
The password must respect the following conditions of complexity:

  • Be composed of at least 12 characters
  • Contain at least 1 upper case, 1 lower case, 1 number or special character
  • Be changed at first connection

The password is stored in our database in a hashed and salted format, i.e. we never store the password in clear text. Even in the case of a data leak, the password can neither be read nor reused by a malicious person.

Multi-factor authentication

In addition to the login/password pair, the user enters a code sent by SMS to connect to the platform.

Identity federation

Our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.

Permission management

Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorisation model.
There are four user roles:

  • Admin : has full rights to the account
  • User : can view and edit all campaigns but does not have access to account management settings
  • Creator : can see all campaigns and can update non-sensitive information. However, this profile cannot play/pause a campaign or delete data from that campaign
  • Viewer : can see all campaigns but cannot update them

Encryption

The data collected is encrypted (AES-256) and in transit (HTTPS/TLS 1.2+).
We constantly monitor the market and apply the latest standards in cryptography to ensure the best protection for our users.

Separation of customer environments

The data collected on our clients’ sites is stored in a dedicated database to prevent unauthorised access.

Integrity

Changes management

AB Tasty wants to offer the best possible product to its clients. That is why our platform is constantly evolving and we regularly deploy new versions.

In order to avoid introducing bugs or vulnerabilities during these developments, all changes to our platform are strictly controlled.

We have adopted an automated approach to integration and continuous release. Each time a developer modifies the platform’s source code, it is reviewed by a peer. A series of unit and functional tests are systematically performed in a staging and pre-production environment before a production release.

Checksum

Our solution allows you to easily modify and customise the graphic interface of your sites. These modifications are saved in a file named Tag.js and stored in a secure space.

To further enhance the security of the Tag.js, you can check its integrity by comparing its checksum with the checksum we calculated when it was deposited in our storage space using our public API.

Disponibility

Datacenter

Our entire IT infrastructure (applications, network and storage) is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified.

Backups

We make backups of your database instances with a retention period of 7 days. The backups are kept in a different datacenter from the production data.

Disaster Recovery plan

Backups and redundancy of our IT infrastructure in several data centres of our cloud service providers allow us to ensure the availability of our services in the event of a disaster.

We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly.

Service Level Agreement (SLA)

AB Tasty contractually guarantees the availability of its services. The guaranteed service levels can be consulted in the appendix of the general terms of service.

You can check the status of our services in near real time on a dedicated web page.

Traceability

Logging

We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc).

Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as elements of investigation in the event of a security incident or as evidence in any legal proceedings.

Security checks

Human resources

Before joining AB Tasty, all our employees have gone through a rigorous recruitment process. Their backgrounds have been checked and we make sure they have the right skills for the job they are about to do.

All our employees are subject to a confidentiality clause that continues after their employment contract ends.

AB Tasty presents a charter for the proper use of IT resources to all newcomers. This charter is annexed to the internal regulations and is therefore enforceable against all its employees. Any person who does not respect the security rules may be subject to disciplinary measures.

Physical security

Access to AB Tasty’s buildings, whether for employees or visitors, is strictly controlled by security devices such as video surveillance, intruder alarms and electronic access badges.

We are very committed to respecting the confidentiality of information both inside and outside our facilities. We do not leave any document or confidential information in plain sight. We have strongboxes and shredders for the management of paper documents.

The entire IT infrastructure is hosted by our ISO 27001 certified cloud service providers.

Surveillance, audits and remediation of vulnerabilities

In addition to the security controls performed internally by AB Tasty’s teams, such as a periodic review of authorizations, we regularly call upon independent security providers to audit our services.

Twice a year, we have penetration tests performed to uncover any vulnerabilities and security holes. When such vulnerabilities are discovered, we provide the necessary security patches as soon as possible.

Protection and security devices

All our systems are protected by security devices such as anti-virus, anti-malware or firewalls.

Access to our servers and production environment is protected either by strong authentication or by a dedicated administration bastion.

Server configuration is strengthened. Open services and ports are reduced to the bare minimum to minimise the attack surface and limit our exposure to cyber threats.

Security incident

We inform our customers of any security incident that could impact them directly or indirectly. We have defined a security incident management procedure to prepare ourselves as well as possible for this possibility.

You can report any event or anomaly that may affect data security to the following email address :bounty@abtasty.com

FAQ

Do you have an information security policy (ISP) ?

Yes, our ISP establishes the general framework that enables us to ensure the protection of the data entrusted to us. It is communicated to all our staff.
It is updated at least once a year and made available to our clients on request.

Do you have any security certifications?

We are ISO 27001 certified.
Moreover, our storage and information processing infrastructure is fully hosted by ISO 27001 and SOC 2 certified cloud service providers.

Is there a specific contact person to deal with security issues?

Our support team answers all questions, including security issues. Depending on the scope of the security issue to be addressed, This team is then responsible for referring these issues to internal experts. We have interlocutors for the following four areas of expertise :

  • Physical security of employees
  • Workplace security and working methods
  • IT development security and infrastructure
  • Legal security

If you want to report an incident, we have a dedicated email address: security@abtasty.com

Have you identified your main security risks? What measures have you taken to reduce them?

To ensure the highest possible level of security for our customers, we decided to implement an Information Security Management System (ISMS) in accordance with the ISO 27001 standard.
We regularly carry out a risk analysis of our information system in which each identified risk is addressed and included in our risk treatment plan.

Security indicators allow us to control and monitor the level of identified risks until they reach an acceptable level.

Is your staff made aware of information security?
When they join AB Tasty, all our employees are made aware of and trained in the company’s culture and working methods. We systematically present our IT charter, which summarizes all the rules and best practices in terms of information security. We also remind them of these security rules in newsletters sent by the AB Tasty IT team.
Are all the people who have access to your clients’ data subject to a confidentiality clause?
All our employees are subject to a confidentiality clause in their employment contract. We also have all our partners who may have access to confidential data sign a non-disclosure agreement.
Do you have any sanctions for non-compliance with security rules?
Our IT charter, which summarizes all the security rules applicable in the company, is appended to AB Tasty’s internal regulations and is therefore enforceable against all our staff. A disciplinary process is provided for in the event of a breach of security rules.
Is the connection to the AB Tasty platform secure?
Yes, all connections to our platform are made in HTTPS via the TLS 1.2 protocol. It is also possible to activate multi-factor authentication (MFA). A code sent by SMS will be requested from users to log in to their account.
What is the password policy?
The user authenticates with a login/password pair. The password must meet the following complexity requirements :
  • Be at least 12 characters long
  • Contain at least 1 upper case, 1 lower case, 1 number or special character
  • Be changed on first login
The password is stored in our database in a hashed and salted form, we never store the password in clear text. Even in the event of a data leak, the password cannot be read or reused by a malicious person.
Is it possible to authenticate through an identity federation solution?
Yes, our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.
What are the different user profiles? How are their access rights managed?
Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorization model. There are 4 user statuses:
  • Admin: has full rights to the account
  • User: can view and edit all campaigns but does not have access to account management settings
  • Creator: can see all campaigns and can update non-sensitive information. However, this profile cannot play/pause a campaign or delete data from that campaign
  • Viewer: can see all campaigns but cannot update them
Who can access the data collected by AB Tasty solution?
We apply a very strict access policy regarding data access (principle of least privilege). At AB Tasty, only our devops team can access the data collected by our solution.
How do you ensure that only specifically authorized persons access the data?
Access rights to data are given in name only: we always know the identity of the person authorized to access the data from a user account. The rights granted to users are regularly updated; a review is carried out at least once a quarter.
Do you keep data access logs?
Yes, we keep a record of all data access.
Is access to AB Tasty’s premises restricted to authorized persons?
Access to AB Tasty’s premises is controlled by an electronic badge access system, assigned by name.
Is visitor access monitored?
Access to visitors is strictly controlled. Their identity is checked, their presence on the site is recorded in a register, they are given a visitor’s badge and they are constantly accompanied.
Is the premises access monitored ?
An anti-intrusion alarm system is installed. It is remotely operated by a specialized security company.
Have you established security rules to maintain the confidentiality of information in the workspace?
AB Tasty enforces the “clean desk” policy. No physical media (paper, removable drives, printouts) are left on desks, in meeting rooms or on the printer in the absence of the owner. Confidential paper documents are kept in a secure cabinet and shredded if they are to be disposed of. No screens or boards are visible from a window outside the premises.
How do you protect your technical premises (computer rooms)?
All IT infrastructure is hosted in data centres managed by our ISO 27001 and SOC 2 certified cloud service providers.
Is the data encrypted?

All the data we collect is encrypted in transit (via TLS 1.2) and at rest (in AES-256).

Is the data separated from that of other customers?

All data collected on our clients’ sites is stored in a dedicated database to prevent unauthorized access.

How long do you keep the data collected on your clients’ sites?

In accordance with the provisions of the GDPR and e-Privacy, we retain the data collected for a maximum period of 25 months. It is automatically deleted after this period.

Do you offer an export function for the data?

Test campaign data can be exported in .csv format directly from the AB Tasty platform by users only.

If the service is discontinued, what guarantees do you offer regarding the return and deletion of your customers’ data?

Our clients have the possibility to export the data of their test campaigns directly from the application at any time during the contract period.
At the end of the contract, we automatically delete the user accounts from our platform and put the campaigns on hold.
Our customers have the possibility to make a request for deletion of the data to legal@abtasty.com.
@abtasty.com.

What guarantees do you provide on the availability of services?

AB Tasty contractually guarantees the availability of its services. The guaranteed service levels can be consulted in the appendix of the general terms of service.

How can one check that you are fulfilling your commitments?

You can check the status of our services in near real time on a dedicated web page: https://status.abtasty.com

Is the data backed up?

We make a daily backup of all data generated by visitors to your site(s), with a retention period of 7 days.

Are the backups secure?

Backups are systematically stored on a different site from the production data, encrypted and their access is strictly limited.

Are restoration tests carried out regularly?

We regularly perform restoration tests on our test environments.

Do you have a disaster recovery plan?

We have a disaster recovery plan in place. The backups and redundancy of our infrastructure enable us to ensure the availability of our services in the event of a disaster.
In addition, our entire IT infrastructure is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified. They themselves have a disaster recovery plan.

Have you defined targets for maximum allowable downtime and maximum allowable data loss (RTO RPO) ?

The maximum allowable downtime and maximum allowable data loss is defined in the AB Tasty Disaster Recovery Plan.

Do you regularly test your DRP?

We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly and allow us to ensure the availability of our services in case of a disaster.

How do you ensure that changes to the source code of your solution do not introduce bugs or security holes?
The development cycle of our solution follows a continuous integration and deployment approach. This approach allows us to ensure continuous monitoring of changes to the source code, from the integration and testing phase all the way through to deployment in production. All modifications to the source code are systematically reviewed by at least two developers and unit tests are used to ensure that the code is executed correctly.
Do you use secure development frameworks?
We use the symfony and react development frameworks, in versions that are systematically maintained in operational security conditions.
Is your team of developers trained in secure development?
Our developers are made aware of and trained on the security flaws presented in the OWASP TOP 10. A training platform is available to our teams, where they can train on the subjects of their choice, including training on secure development.
How do you protect yourself against malware?

All our systems are protected by daily updated antivirus software.
Our IT team monitors current cyber security issues and the main security flaws that can impact our IT systems.
We monitor the status of our computers and systems and systematically apply the available security patches.
All software authorized in production is maintained in operational security condition by its publisher.
When a security vulnerability is reported to our teams, either through our security monitoring or through external audits, it is corrected as soon as possible.

What system and network events do you log?
We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc).
How long are the logs retained?
We keep the logs for 12 months.
Who can access the logs?
Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as investigative material in the event of a security incident or as evidence in any proceedings.
How do you ensure the security of your production environments?

Our IT infrastructure is an “as code” infrastructure. All resources (servers, network instances, security groups, firewall rules, etc.) are described in configuration files, which allows us to automate the deployment of our solutions and ensure a high level of availability for our customers.
This reduces the risk of human error or misconfiguration. As the infrastructure code is versioned, it is possible to go back in time in case of a deployment error.
We also constantly monitor the status of our instances in production using dedicated dashboards (via the Grafana tool).
Finally, all communication flows within our production environments are encrypted.

How do you ensure the security of maintenance and administration operations in your production environments?

Maintenance and administration of our production environment is carried out solely by our devops staff.

Access to the administration interfaces is always protected, either by an administration bastion or by a double authentication system.

Confidentiality and integrity of administration operations are ensured by the implementation of strong encryption protocols (SSL/TLS).

What is Tag.js, what does it allow to collect, or modify?

Our solution allows you to easily modify and customize the graphical interface of your websites. These modifications are saved in a file named Tag.js. When present on your website, the tag.js file shows graphical changes on your site and collects data on the behavior of your visitors.

Where are the tags stored?

The Tag.js file is stored in our content delivery network (Amazon CloudFront). The behavioural data is stored on our collection servers, all located within the European Union.

Who has access to it?

The url of the Tag.js is public, thus accessible to all, because the Tag.js must be able to be loaded by any Visitor of your website.
However, before being deployed, the Tag.js file is “minified”: spaces, line breaks and comments are removed, variables are renamed and shortened as much as possible, and assertions are factored. This process of minification makes it possible to have a lighter file but it also acts as an obfuscation. It is therefore almost impossible to reverse-engineer this file.
engineering de ce fichier.

How do you ensure the integrity of the tags?

To further enhance the security of the Tag.js, our customers can verify its integrity by comparing its checksum with the checksum we calculated when it was deposited in our storage space using our public API.

Are your external providers subject to security and confidentiality clauses?

All our service providers are subject to confidentiality clauses (Non-Disclosure Agreement). In addition, in the case of sensitive services or if the service provider must have privileged access, specific security clauses are included in the contract.

Are your providers subject to special monitoring?

When the service requires access to our information system, this access is monitored and limited in time.

Contracts with our most sensitive suppliers include security and auditability clauses. We regularly check the compliance of our suppliers and service providers with their contractual commitments.

Do you have a procedure in place in case of a security incident affecting your customers?
We inform you of any security incident that could impact you directly or indirectly. We have defined a security incident management procedure to prepare us as well as possible for this eventuality.
How and when do you communicate about security incidents?
In the event of a security incident affecting you, we will notify you of the incident as soon as possible, using the contact details you provided and identified as your point of contact when you signed the contract.
How can I reach your security team to discuss a security incident?
You can report any event or anomaly that may have an impact on data security to the following email address: support@abtasty.com
Do you have your information system regularly audited?
As part of our ISO 27001 certification, our information security management system is fully audited every 3 years. A follow-up audit is also carried out every year.
Is the security of your solutions regularly tested?
Twice a year, we conduct penetration tests to uncover potential security vulnerabilities in our systems and software solutions. When such flaws are discovered, we provide the necessary security patches as soon as possible.
Do you communicate audit results or reports?
We will provide intrusion test certificates if you request them.
Do your customers have the possibility to perform or have performed security audits and penetration tests on their own initiative?
The terms and conditions for carrying out security audits and penetration tests at the client’s request are determined contractually. In all cases, these can only be carried out with our prior agreement and on a scope which, by nature, excludes our hosts.