Security at Cohort
Last updated
Last updated
Security being just as important to us is a huge understatement. Security is a top priority at Cohort and we live it in our day-to-day activities.
Our Senior Management team is accountable for security and ensures that security capabilities and competence exist in all levels of our business. As a whole, we follow a holistic and collaborative approach to guarantee the confidentiality, availability, and integrity of your data. On this page, you can read about the various policies and security measures taken by Cohort to secure user data hosted on our platform from unauthorized access.
Our infrastructure runs purely on Google Cloud Platform (GCP), which delivers infrastructure as a service with prime security capabilities.
All our infrastructure runs in the eu-west-1 region located in Belgium, which is a low CO2 emission region (it has a grid carbon intensity of maximum 200 gCO2eq/kWh.)
The data centers used for storing your data and allowing it to be delivered to your users are also certified for compliance with the ISO 27001 standard.
Your data is encrypted at rest in GCP Cloud Storage buckets and GCP Cloud SQL instances. AES256 encryption is used by default via GCP’s encryption services, while key management is handled by GCP KMS. This ensures the data is preserved and safe from prying eyes and manipulation.
All user passwords and credentials are handled by GCP's Identity Platform which uses state of the art security. It uses the algorithm for hashing passwords.
Cohort uses Stripe’s infrastructure to process credit card payments, which means that no credit card information or related personal information is stored on our servers. Stripe enforces stringent PCI DSS (Payment Card Industry) compliance criteria to ensure that any data stored and/or processed on its servers is handled in a secure way.
In addition to privacy and safety measures, Stripe employs an extensive range of checks designed to minimize payment fraud and unauthorized access. These checks include 3D-Secure authorization, credit card background checks, flagging suspicious transactions for manual verification, and real-time monitoring of payment transactions with automated anti-fraud algorithms.
All communication between you, your services and Cohort, that includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. In addition, data is also encrypted during transit between Cohort and our Content Delivery Networks (CDNs). This encryption during communication ensures information cannot be read or manipulated by unauthorized third parties.
Our infrastructure, web applications, and APIs are penetration tested annually by external independent parties. Any vulnerability found are fixed based on our specifications in an internal SLA.
All our data, including Cloud Storage buckets and database daily backups, is replicated between multiple regions thanks to the use of GCP. Backup data is encrypted at rest using AES-256 encryption with keys provided by GCP KMS.
Access to your data is extremely restricted. We have hand-picked and trained support staff and Engineers on support that, after your explicit permission, are able to help fix your problem by accessing the affected data that you authorize. These actions are recorded, audited and monitored.
Did we mention we are a cloud native service? We do not have data centers. Physical security to our servers and to your data is managed by GCP. Physical security at our offices is also governed by our security program.
All of our cloud infrastructure is located in a private Virtual Private Cloud (VPC), meaning that even if it is located in GCP's data centers, it is completely separated from the rest of the data center and from the internet.
We ensure that only our web-servers and CDN are reachable from the internet. All of our other infrastructure (SQL Databases, data processing servers, etc..) are only visible from the VPC.
All communications to and from our servers are controlled by tight security groups, a GCP security feature for stateful firewalling.
To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection. We also constantly monitor our SSL configuration rating, where we target to a minimum of an A grade for all our domains.
Your data lives in our servers for as long as you need them. Our Data Retention Policy and Data Classification Policy govern the way we manage data that needs deletion and retirement.
To prevent your account to be compromised by brute forcing our web application and APIs, we implement rate limits and captchas.
Access to customer data is logged along with SSH session commands in production. This provides a trail that can be easily followed in any security audits.
Applicative and access logs are kept for a duration of 14 days.
All of our infrastructure access and modification is logged by GCP Audit Logs and are kept indefinitely.
We support OIDC and SAML SSO for authenticating users on Cohort. This allows you to fine-grain access policies to your Cohort admin.
We employ a robust multi-tenancy model that ensures the optimal balance between resource efficiency and data security. Our infrastructure leverages shared servers and physical databases, enabling us to streamline maintenance and optimize performance across all tenants. Despite this shared environment, we maintain strict data segregation at the logical level. Each database table incorporates a dedicated tenant ID separation key, ensuring that all data is securely isolated and exclusively accessible to the authorized tenant.
Cohort utilizes GCP Identity Platform's built-in multi-tenancy features for user management. This sophisticated system provides advanced identity and access management solutions, allowing us to securely manage user authentication and authorization processes across different tenants.
Our infrastructure runs in Google Cloud Platform, where all components are deployed in at least three availability zones, minimizing disruptions caused by any failure and keeping your content constantly available. Elastic Load Balancers are used to automatically split the load and segregate traffic from the Internet to all nodes of our frontend layer.
All our software components run in Docker containers orchestrated by GCP Cloud Run. The clusters are automatically resized when the load on the system exceeds than the pre-defined threshold.
Our platform has been designed from scratch to support high volumes of web traffic and this technology stack is the fundamental piece that caters to our high availability needs.
We use Cloudflare Web Application Firewall (WAF) and DDoS protection to make sure that our web servers are protected from malicious actors and cannot perform DDoS and other attacks.
Cohort utilizes database replication architectures to ensure redundancy and uptime. Encrypted backups are made every 6 hours and stored both onsite at the data center and copied to a remote storage location. Each key service layer has redundant components, such as multiple servers that provide the same service and content, to ensure any failures do not impact the rest of the system. Data centers are also equipped with controls to enforce physical security and protection against environmental hazards
All vulnerabilities are managed internally in our internal vulnerability management tool. Once a vulnerability is detected, it is assigned a score, using the CVSS scoring system, and an owner. We have an internal SLA that stipulates deadlines for fixing vulnerabilities, while progress is tracked by tools and, if necessary, a post-mortem is arranged as a learning exercise for our engineers to improve code security.
Our development process is based on GitHub’s pull request mechanism. Once a commit is made to a branch in a specific repository, the code is reviewed by members of the same team or from other engineering teams. Only once the pull request is approved by all tagged engineers is the code moved along in the development life cycle. Our developers and engineers are also heavy practitioners of pair programming, which lets them detect bugs and vulnerabilities more effectively before code makes it into the final product.
When code is committed to GitHub, our continuous integration process automatically initiates a series of tests. One such test is automatic static code analysis, configured to find vulnerabilities both in the code and within its dependencies. Dependency management is performed locally per repository, where all dependencies are tagged by version and downloaded from reputable sources over encrypted HTTPS.
Once the code is ready to be tested, it is deployed to our staging environment. This environment runs a downscaled version of the production infrastructure and does not contain any production data. Quality assurance is performed in a different GCP project that is configured with different domain names to ensure complete separation from production.
Security is part of the Product organization and influences the product roadmap and specific features. We implement the philosophy of “security by design” where security features are embedded in the product and architecture design to ensure existing and new functionalities are free of vulnerabilities. We believe that engineers should be responsible for the code they create and have an established culture of accountability, which leads to a high level of code quality and security being maintained.
Cohort continually looks out for any indicators that could potentially lead to incidents. To supplement this, any event-alerting tools we use also escalate into PagerDuty rotations for Cohort's 24x7 incident response team. We also maintain an incident response plan that details ways to address an incident, including the processes of notification, escalation, managing and reporting as a result of an incident.
All Cohort employees and contracted third-parties are required to comply with Cohort policies relevant to their scope of work, including security and data privacy policies. Our standard work contract includes confidentiality clauses.
Cohort ensures its employees undergo regular security and privacy training. Employees with developer and administrative roles also undergo secure code training annually, while employees with responsibilities in the area of information security are also provided with additional training on security protection techniques, risks, and latest trends.
All hardware devices (desktops, laptops, phones) issued to Cohort employees come with encrypted storage partitions as well as MDM software that allows the IT department to monitor, manage, update, and secure the devices and the data contained on them. We make use of the ability to remotely wipe a device in the event of devices getting lost or stolen.
To ensure an acceptable level of password security, we have an existing password policy in place, that complies with new standards based on NIST (National Institute of Standards and Technology) guidelines. Passwords that are too generic are not allowed while the use of unique passwords per website is strongly advised. We also encourage the use of password managers, that help make it easier and safer for you to keep track of your credentials.
Every technology, SaaS or tool is assessed to ensure a good understanding of the risks involved. Our Vendor Security Assessment Questionnaire, or VSAQ, is based in the VSA - Vendor Security Alliance - and CSA - Cloud Security Alliance - standards. Confidentiality and non-disclosure agreements are required when sharing any sort of confidential information, that could be sensitive, proprietary and/or personal in nature, between Cohort and an external third-party. Any third-party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments based on their level of access and handling of information.
The use of multi-factor authentication (MFA) is enforced throughout the main services Cohort relies on. We internally use Okta with mandatory MFA policies for all Cohort employees. The use of MFA provides an additional measure for verifying a user’s claimed identity over the use of just a password. Currently, the minimum requirement for our MFA implementation is the use of a password combined with an access token (for instance, a code provided by Google Authenticator). MFA is also mandatorily enforced for GCP and GitHub access.
Cohort has multiple internal policies directly pertaining to or containing details about data privacy, security, and acceptable use; the most widely distributed and available of which is the employee handbook that includes documentation on security, data privacy, and related measures. In addition, Cohort also has a public-facing .