Security is one of the biggest considerations for every SaaS (Software as a Service) product. We have built Bold Reports SaaS on Google Cloud Platform (GCP), which is committed to the highest levels of trust, transparency, standards conformance and regulatory compliance with the most comprehensive set of compliance offerings of any cloud service provider.
This document explains the important security features handled by Bold Reports for customers fulfillment such as GCP security, authentication, authorization, data security, application security, disaster recovery and business continuity, network security, application monitoring, stripe payment gateway, and more.
Google Cloud Platform (GCP) has multiple layers of security controls and features to ensure the confidentiality, integrity, and availability of Bold Reports Cloud data. GCP is the first line of defense in protecting your Bold Reports resources in Google, which helps prevent, detect, and respond to threats with increased visibility into and control over the security of your Bold Reports resources. It provides integrated security monitoring and policy management across our service, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
Overall, GCP provides a robust security framework that includes multiple layers of security controls and features to protect Bold Reports data and infrastructure.
Authentication verifies the user’s identity. Anyone who wants to access and manage the resource such as reports, data source and dataset must be user of the Bold Reports cloud application. Bold Reports cloud can be configured to use local authentication or external authentication to validate the authenticity of the user.
In local authentication, Bold Reports cloud validates the user authentication by comparing provided credential with the details stored in Bold Reports PostgreSQL database.
Bold Reports cloud can be configured with Azure Active Directory as external authentication provider.
Azure Active Directory
Bold Reports Cloud can be configured to use Azure Active Directory for importing users into Bold Reports cloud and validating their authentication. User will be logged into Bold Reports cloud once they are validated and authenticated by Azure by proving their credentials.
Authorization refers to which resource such reports or data sources or datasets, users can access on Bold Reports cloud after authentication has been verified. Authorization includes:
Bold Reports cloud provides support to control which users can see which reports, data sources and datasets. For data sources that connect to live databases, you can also control the users based on their permissions. There are read, write, create, and delete permissions, which can be assigned to users and groups. Without the read permission, no user could see your data source, dataset and reports.
Bold Reports cloud does not see the following information except limited access with customer permission for support and troubleshooting:
Security is a top concern for managing databases, and it has always been a priority for PostgreSQL database and it is a popular open-source relational database management system that is used by Bold Reports cloud to store and manage the data. PostgreSQL database supports connection security with firewall rules and connection encryption. All PostgreSQL databases are configured with a firewall rule that connections should only be allowed from the Bold Reports cloud application.
Protection of database:
PostgreSQL database helps secure your data by providing encryption:
Bold Reports cloud provides the flexible permission system using which you can control the access to reports, data source and datasets.
Every tenant user can only login to their tenant and access the resource. Each tenant has been deployed with its own database and resource storage, which ensures that one tenant data is not shared with other tenant. Also, users belong to one tenant can only see the users belong to the same tenant and share a report to that tenant users. Users must have permissions to view and access the report and resources created by another user on same tenant.
Bold Reports cloud uses Microsoft Azure blob storage and PostgreSQL database to store the customers data. Each customer’s data is logically separated from other customers’ data using their unique identity and this set of identity will be stored in another PostgreSQL database for lookup purpose. This ensures that no customer’s service data becomes accessible to another customer.
We hold your data in Bold Reports cloud application as long as you choose to use Bold Reports Services. Once you terminate your Bold Reports cloud application, your data will get deleted from the Bold Reports cloud based on the following scenarios:
Bold Reports cloud uses the following encryptions to encrypt the secure information such as user password and database details:
Rijndael Encryption (256 bits)RSA Cryptography (1024 bits)AES Cryptography (128 bits)Every change and new feature is governed by a change management policy to check all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines and screening of code changes for potential security issues with our code analyzer tools, vulnerability scanners, and manual review processes.
Bold Reports security team has years of experience in operating data centers and continually improves our processes over time. Employee access is logged and passwords are strictly regulated. We limit access data to only a few of these employees, who need such access to provide support and troubleshooting on our customer’ behalf.
Backups of Bold Reports Cloud workloads can be scheduled periodically for both application data and cluster state data which can be useful for disaster recovery, CI/CD pipelines, cloning workloads, or upgrade scenarios. The cloud database will have the backup of the last seven days data by default. We can restore this to a new cluster at any time.
Bold Reports cloud relies on GCP network security and infrastructure helps protect your data against the most sophisticated electronic attacks. Bold Reports cloud provides the following network security.
Every data transmitted to the servers over public networks is protected using the strong encryption protocols. We mandate all connections to our servers use the Transport Layer Security (TLS 1.2) encryption with strong ciphers for all connections including web access, API access, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection and by encrypting data to be transferred.
The Bold Reports cloud is configured with HTTPS protocol and also we are using HTTP/2 protocol by encrypted connections, increasing user and application security. Bold Reports cloud application is configured with SSL, all content and communications between clients are encrypted using SSL, and the HTTPS protocol is used for requests and responses.
Bold Reports with HTTPS is secured using the Transport Layer Security protocol, which provides three key layers of protection:
Bold Reports cloud makes the internal API call to access resource in web using secure connection. The Bold Reports cloud will only accept all the connection that uses TLS 1.2 (Transport Layer Security) or above encryption.
Bold Reports cloud database contains the most important data in it since Bold Reports cloud connects to database with SSL connection, which offers the encrypted data transfer between application and database. Bold Reports cloud database has been configured and protected on GKE using firewall by allowing the access only from same GKE environment.
As we are using exception less, which monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs and store these logs in a secure server isolated from full system access to manage access control centrally and check the availability in the GCP.
Cards are one of the most popular ways to pay online with broad global reach. The Stripe Payment Gateway method is used for our SaaS business, which is the best software platform for running an internet business. The Stripe Payment Gateway has been integrated using the Stripe APIs and their client libraries.
We get the card detail and encrypt with the sort of secure encryption keys and send to the stripe for payment processing. So, we have provided assurance that we do not store and could not see your card details anymore from our side. Your card details to be handled only by Stripe Payment Gateways.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
Bold Reports SaaS product is included with various open source components. Such components are licensed under the terms of applicable open source license agreements. Our legal team will verify and approve the use of such component in Bold Reports cloud application. Such component usages are revisited and reviewed before every release.