Protecting Your Data Every Day
Your data is quite simply yours. No one else should be able to see it and you should have total control over it. At CardBoard we value your data’s security, and we work every day to make sure it stays that way.
Your data is encrypted when transmitted and when it is stored at rest. SSL is used when sending data from the CardBoard servers to your web browser. When your data is at rest it is encrypted with AES-256 block level storage encryption. Our data center provider has industry leading physical protection mechanisms to keep unauthorized personal out.
We haven’t ever lost data, but we are prepared if we ever do. We utilize continuous protection on our database and can roll back to a few hours ago and up to 30 days. In the event the CardBoard application has an outage, we have monitors that can detect and re-deploy the application to other working data centers. Thus, you can be sure that you don’t have to worry about CardBoard down time and your business will continue as normal.
SAML based SSO
One of the biggest security features that CardBoard provides is the ability for you to integrate with your Identity Provider and grant access via Single Sign On (SSO). This way, you have total control on who can access your data, set your own password requires or even require TFA (Two Factor Authentication).
We use Stripe to manage credit card processing. None of the servers used for CardBoard have access to any credit card information. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
Personal and Training
A company is no more than a collection of its employees. At CardBoard, we make sure every employee goes through background checks. If they don’t pass, they can’t work here. To be a hyper-aware security-based organization, you need to provide training to your employees. We use services such as Security Mentor and KnowBe4 to train our employees on common mistakes and what to be on the lookout for.
CardBoard utilizes the Ruby on Rails framework which helps our developers prevent common security coding mistakes. This includes security controls like parameter checking, cross-site forgery requests (CSFR), SQL injection and cross site scripting (XSS).
We use industry leading tools like OWASP ZAP for penetration testing. It is an automated tool that tries to penetrate our site and reports findings.
Each request that is sent to the CardBoard server is logged. We retain these logs for 30 days. In the event of a security incident, we have the data to track what happened and the data that could have been accessed.