Profile Ninja Security
Every day, our clients entrust Profile Ninja with their confidential information. Serving as a world-class steward for this information while it’s in our possession is critical to our success. Profile Ninja’s information systems contain multiple layers of security to ensure the confidentiality and integrity of all data that is submitted to us, and the availability of our services.
- Profile Ninja’s systems are hosted privately to ensure we control all critical aspects of security, maintenance and general management to ensure guaranteed uptime of all services
- All files submitted to Profile Ninja are encrypted at rest using in TLS point to point encryption.
- All data transfers to and from Profile Ninja are encrypted using TLS or SFTP.
- Core systems have automated patching in place. This automatically ensures we’re running the latest patches where those patches come from package managers.
- We have personnel responsible for subscribing to CVE announcements for all relevant software used by a given system, triaging the announcements, and applying patches quickly where necessary. This ensures we run the latest patches, even where those patches need to be applied manually, such as for custom-built software.
- We set each system’s firewall to reject all traffic by default and only allow intended traffic types from accepted sources. All non-Internet facing systems are restricted within private subnets.
- SSH access is restricted to modern protocols and only key-based authentication, using an IP whitelist, VPN, and bastion boxes.
- We maintain strong IT policies, well-explained and enforced.
- In addition to understanding and complying with our privacy and acceptable use policies, employees are responsible for alerting management if they ever see signs of practices that might be inconsistent with the policy.
- Even when hiring for non-technical positions, we look for candidates with an appreciation for, and interest in, security.
- All employee accounts undergo regular access reviews to ensure that everyone has the minimum amount of access to do their jobs.
- We use dual factor authentication for all administrative accounts and other accounts wherever possible.
- Code reviews are required for all changes, with a focus on OWASP top ten vulnerabilities.
- For software that we write ourselves, we design it to be difficult to hack and use extensive testing to convince ourselves that’s true.
Intrusion detection systems
- Intrusion detection begins with sophisticated and automated internal tripwire software that compares MD5 hashes to ensure all files are tamper free. Findings are reviewed by custom software and may be escalated for human review.
- IPS triggers are implemented when necessary.
- Internal vulnerability scans are completed quarterly and when major software releases are rolled out.
- Internal audits: We perform annual audits to confirm that we are complying with our own policies.
Business continuity and disaster recovery
- Profile Ninja uses high-availability architecture across multiple geographic zones to keep our systems running and to recover quickly in case of an outage.