Security is one of the biggest considerations for every SaaS (Software as a Service) product. We have built Bold Reports SaaS on Google Cloud Platform (GCP), which is committed to the highest levels of trust, transparency, standards conformance, and regulatory compliance with the most comprehensive set of compliance offerings of any cloud service provider.
This document explains the important security features handled by Bold Reports for customer fulfillment, such as GCP security, authentication, authorization, data security, application security, disaster recovery and business continuity, network security, application monitoring, stripe payment gateway, and more.
Google Cloud Platform (GCP) has multiple layers of security controls and features to ensure the confidentiality, integrity, and availability of Bold Reports Cloud data. GCP is the first line of defense in protecting your Bold Reports resources in Google, which helps prevent, detect, and respond to threats with increased visibility into and control over the security of your Bold Reports resources. It provides integrated security monitoring and policy management across our service, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
Overall, GCP provides a robust security framework that includes multiple layers of security controls and features to protect Bold Reports data and infrastructure.
Authentication verifies the user’s identity. Anyone who wants to access and manage the resource such as reports, data source and dataset must be a user of the Bold Reports cloud application. The Bold Reports cloud can be configured to use either local or external authentication to validate the authenticity its the user.
In local authentication, Bold Reports cloud validates the user authentication by comparing the provided credentials with the details stored in the Bold Reports PostgreSQL database.
Bold Reports cloud can be configured with Azure Active Directory as external authentication provider.
Bold Reports Cloud can be configured to use Azure Active Directory for importing users into Bold Reports cloud and validating their authentication. Users will be logged into Bold Reports cloud once they are validated and authenticated by Azure by providing their credentials.
Authorization refers to which resources, such as reports, data sources or datasets, users can access on the Bold Reports cloud after authentication has been verified.
Authorization includes:
Bold Reports cloud provides support to control which users can see which reports, data sources and datasets. For data sources that connect to live databases, you can also control the users based on their permissions. There are read, write, create, and delete permissions, which can be assigned to users and groups. Without the read permission, no user could see your data source, dataset and reports.
Bold Reports cloud does not have access to the following information, except for limited access with customer permission for support and troubleshooting:
Security is a top concern for managing databases, and it has always been a priority for PostgreSQL database and it is a popular open-source relational database management system that is used by Bold Reports cloud to store and manage the data. PostgreSQL database supports connection security with firewall rules and connection encryption. All PostgreSQL databases are configured with a firewall rule that connections should only be allowed from the Bold Reports cloud application.
Protection of database:
PostgreSQL database helps secure your data by providing encryption:
Within the Bold Reports cloud application, Bold Reports cloud provides a flexible permission system with which you can control access to reports, data sources, and datasets.
Every tenant user can only log in to their own tenant and access the resources. Each tenant is deployed with its own database and resource storage, which ensures that data from one tenant is not shared with another. Also, users belonging to one tenant can only see users from the same tenant and share reports with those users. Users must have permissions to view and access the reports and resources created by another user within the same tenant.
Bold Reports cloud uses Microsoft Azure blob storage and a PostgreSQL database to store customer data. Each customer’s data is logically separated from other customers’ data using their unique identity. This set of identities is stored in another PostgreSQL database for lookup purposes. This ensures that no customer’s service data becomes accessible to another customer.
We hold your data in the Bold Reports cloud application as long as you choose to use Bold Reports Services. Once you terminate your Bold Reports cloud application, your data will be deleted from the Bold Reports cloud based on the following scenarios:
Bold Reports cloud uses the following encryption methods to secure information such as user passwords and database details:
Rijndael Encryption (256 bits)RSA Cryptography (1024 bits)AES Cryptography (128 bits)Every change and new feature is governed by a change management policy to ensure all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines and screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
The Bold Reports security team has years of experience in operating data centers and continually improves our processes over time. Employee access is logged and passwords are strictly regulated. We limit data access to only a few employees who need such access to provide support and troubleshooting on our customer’s behalf.
Backups of Bold Reports Cloud workloads can be scheduled periodically for both application data and cluster state data which can be useful for disaster recovery, CI/CD pipelines, cloning workloads, or upgrade scenarios. The cloud database will have the backup of the last seven days data by default. We can restore this to a new cluster at any time.
Bold Reports cloud relies on GCP network security, and its infrastructure helps protect your data against the most sophisticated electronic attacks. Bold Reports cloud provides the following network security measures.
Every piece of data transmitted to the servers over public networks is protected using strong encryption protocols. We mandate that all connections to our servers use Transport Layer Security (TLS 1.2) encryption with strong ciphers for all connections, including web access, API access, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection and by encrypting the data to be transferred.
The Bold Reports cloud is configured with the HTTPS protocol, and we are also using the HTTP/2 protocol for encrypted connections, thereby increasing user and application security. The Bold Reports cloud application is configured with SSL; all content and communications between clients are encrypted using SSL, and the HTTPS protocol is used for requests and responses.
Bold Reports with HTTPS is secured using the Transport Layer Security protocol, which provides three key layers of protection:
Bold Reports Cloud makes internal API calls to access resources on the web using a secure connection. Bold Reports Cloud only accepts connections that use TLS 1.2 (Transport Layer Security) or above encryption.
The Bold Reports cloud database contains the most important data, as it connects to the database using an SSL connection, which offers encrypted data transfer between the application and the database. The Bold Reports cloud database has been configured and protected on GKE using a firewall that only allows access from the same GKE environment.
We are using Exceptionless, which monitors and analyzes information gathered from services, internal network traffic, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are stored on a secure server, isolated from full system access, to manage access control centrally and check availability in the GCP.
Cards are one of the most popular ways to pay online due to their broad global reach. We use the Stripe Payment Gateway for our SaaS business, which is an excellent software platform for running an internet business. The Stripe Payment Gateway has been integrated using the Stripe APIs and their client libraries.
We obtain the card details, encrypt them with secure encryption keys, and send them to Stripe for payment processing. We assure you that we do not store and cannot see your card details from our side. Your card details are handled only by Stripe Payment Gateways.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
The Bold Reports SaaS product includes various open source components. These components are licensed under the terms of applicable open source license agreements. Our legal team verifies and approves the use of these components in the Bold Reports cloud application. The usage of these components is revisited and reviewed before every release.