Gtmhub Security Policy

This security policy is here to help you understand what information we collect at Gtmhub and how we use it. When we talk about Gtmhub in this policy, we are talking about Gtmhub Ltd. the company, the Gtmhub application, and the Gtmhub website at www.gtmhub.com. The Gtmhub application is available for use via a web browser and can be deployed in our cloud environment, a virtual private cloud or on premise at a customer site.

The following policy describes what practices are employed by Gtmhub to secure and prevent misuse or loss of data provided to Gtmhub by its clients.

Confidentiality

Gtmhub enforces strict control over access of data (refer to "Content" definition in the Gtmhub Service Agreement) it processes on behalf of its clients. Gtmhub is committed to ensuring that client Content cannot be accessed by anyone who should not have access to it. In order to ensure the operation of Gtmhub services certain Gthmhub employees need access to the systems which collect and process client Content. For example in order to diagnose and resolve a service outage. Those employees are not allowed to use their access rights to view client Content unless it is utterly necessary to do so. Gtmhub uses access logs and audit trails to ensure that any access to client Content is tracked.

Traffic

All Gtmhub services and applications are deployed in a virtual private cloud behind a hardware and a software firewall configured to allow only https traffic. Cross-service communications use a separate private network physically isolated from any public traffic.
All communication with the Gtmhub application, the Gtmhub website, communication between Gtmhub services, backups and log shipping happen over secure connections that use TLS 1.2, encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. The Gtmhub team closely monitors the security community and is committed to promptly upgrading our services in response to new vulnerabilities as they are discovered.

Authentication and Authorization

All service available endpoints are secured using a third party SOC 2 Type 1 certified authentication vendor www.auth0.com.  User credentials and Single Sign On trusts are stored, managed and secured by their solution. Authentication tokens are signed and verified with SHA-256 grade cryptographic hash function. 

All Gtmhub employees' accounts for the corresponding cloud providers are enforced to use two factor authentication. No Gtmhub infrastructure nodes (virtual machines, droplets, pods, containers etc.) are directly accessible under any protocol of communication like SSH, RDP, FTP, HTTP outside of the corresponding virtual private hosting environment.

Backups and Client data storage

For redundancy reasons all backups are transferred to a an external datacenter without leaving the boundaries of the corresponding location (Europe, United States of America etc) using a secure socket connections under TLS 1.2 cryptographic protocol and finally encrypted at rest.

Logging

Gtmhub uses a centralized logging system for all of its environments - both pre-production ones and the production environments. Logs are transferred using secure socket connections using TLS 1.2 cryptographic protocol. This logging system contains information for the healthy operation of our services and their availability. The logging system does not aggregate any client Content. The information collected is used by our staff for troubleshooting and resolving service outages.

Product security practices

New features, architecture design changes and functionality updates go through security assessment process with static code analysis that include SANS top 25 and OWASP top 10 vulnerabilities detection. Additionally any code change is peer-reviewed tested before it is merged in our code base.

Incident management

If you believe that you have found a security vulnerability in any Gtmhub service, please contact our support team right away. We investigate all legitimate reports and are committed to resolving any security vulnerability in a timely manner

Did this answer your question?