Security Practices

Security Practices

With the aim of being transparent and meeting our customer’s needs for security, we share the security practices we implement at AB Tasty through this policy. You will also find our answers to the most frequently asked questions about security here.

Confidentiality

Data Access

Access management

We apply the principle of least privilege, which means that only a limited number of people can access our customers’ data. These people are identified by name and a trace of their access is systematically kept.

Access to customer data is only permitted when required for the maintenance of our services or for customer support purposes.
Furthermore, the access rights granted are updated and regularly reviewed and all our staff are subject to a confidentiality clause.

Preservation

Data is automatically purged 25 months after collection. Today, it is not possible to customise the retention period directly in the solution.

Removal

At the end of the contracts, we automatically delete the user accounts from our platform and put the campaigns on hold.

You have the option of requesting the removal of data at bounty@abtasty.com.

Recovery

AB Tasty’s solution offers you the possibility to retrieve data from your test campaigns yourself at any time via its .csv data export feature.

Authentification

Our users have several possibilities to authenticate themselves on our platform:

Simple authentication

The user authenticates using a login/password combination.
The password must respect the following conditions of complexity:

  • Be composed of at least 12 characters
  • Contain at least 1 upper case, 1 lower case, 1 number or special character
  • Be changed at first connection

The password is stored in our database in a hashed and salted format, i.e. we never store the password in clear text.

Multi-factor authentication

In addition to the login/password pair, the user enters a code sent by SMS to connect to the platform.

Identity federation

Our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.

Permission management

Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorisation model.
There are several user roles.

Encryption

The data collected is encrypted in transit (HTTPS/TLS 1.2+).
We constantly monitor the market and apply the latest standards in cryptography to ensure the best protection for our users.

Separation of customer environments

The data collected on our clients’ sites is stored in a dedicated database to prevent unauthorised access.

Integrity

Changes management

AB Tasty wants to offer the best possible product to its clients. That is why our platform is constantly evolving and we regularly deploy new versions.

In order to avoid introducing bugs or vulnerabilities during these developments, all changes to our platform are strictly controlled.

We have adopted an automated approach to integration and continuous release. Each time a developer modifies the platform’s source code, it is reviewed by a peer. A series of unit and functional tests are systematically performed in a staging and pre-production environment before a production release.

Checksum

Our solutions enable you to easily modify and customize the graphical interface of your sites. 

For AB Tasty, these modifications are saved in a file called Tag.js, which is then stored in a secure space.

To further enhance the security of the Tag.js, you can check its integrity by comparing its checksum with the checksum we calculated when it was deposited in our storage space using our public API.

Availability

Datacenter

Our entire IT infrastructure (applications, network and storage) is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified.

Backups – Replication

We make backups of your database instances with a retention period of 3 days.

The data collected is replicated in real-time in several zones, ensuring its availability at all times. Collected data is always stored in the region related to the client.

Disaster Recovery plan

Backups and redundancy of our IT infrastructure in several data centres of our cloud service providers allow us to ensure the availability of our services in the event of a disaster.

We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly.

Service Level Agreement (SLA)

We contractually guarantee the availability of our services. The guaranteed service levels can be consulted in the appendix to the general terms of service.

You can check the status of our services in near real time on a dedicated web page.

Traceability

Logging

We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc).

Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as elements of investigation in the event of a security incident or as evidence in any legal proceedings.

Security checks

Human resources

Before joining AB Tasty, all our employees have gone through a rigorous recruitment process. Their backgrounds have been checked and we make sure they have the right skills for the job they are about to do.

All our employees are subject to a confidentiality clause that continues after their employment contract ends.

AB Tasty presents a charter for the proper use of IT resources to all newcomers. This charter is annexed to the internal regulations and is therefore enforceable against all its employees. Any person who does not respect the security rules may be subject to disciplinary measures.

Physical security

Access to AB Tasty’s buildings, whether for employees or visitors, is strictly controlled by security devices such as video surveillance, intruder alarms and electronic access badges.

We are very committed to respecting the confidentiality of information both inside and outside our facilities. We do not leave any document or confidential information in plain sight.

The entire IT infrastructure is hosted by our ISO 27001 certified cloud service providers.

Surveillance, audits and remediation of vulnerabilities

In addition to the security controls performed internally by AB Tasty’s teams, such as a periodic review of authorizations, we regularly call upon independent security providers to audit our services.

We have an annual penetration test performed to uncover possible vulnerabilities and security flaws. When such vulnerabilities are discovered, we provide the necessary security patches as soon as possible.

Protection and security devices

All our systems are protected by security devices such as anti-virus, anti-malware or firewalls.

Access to our servers and our production environment is protected by the implementation of a strong authentication and by a dedicated administration bastion, accessible via VPN.

Server configuration is strengthened. Open services and ports are reduced to the bare minimum to minimise the attack surface and limit our exposure to cyber threats.

Security incident

We inform our customers of any security incident that could impact them directly or indirectly. We have defined a security incident management procedure to prepare ourselves as well as possible for this possibility.

You can report any event or anomaly that may affect data security to the following email address: bounty@abtasty.com