Gtmhub Security Policy
This security policy is here to help you understand what information we collect at Gtmhub and how we use it. When we talk about Gtmhub in this policy, we are talking about Gtmhub Ltd. the company, the Gtmhub application, and the Gtmhub website at www.gtmhub.com. The Gtmhub application is available for use via a web browser and can be deployed in our cloud environment, a virtual private cloud, or on-premise at a customer site.
The following policy describes what practices are employed by Gtmhub to secure and prevent misuse or loss of data provided to Gtmhub by its clients.
Gtmhub enforces strict control over access of data (refer to "Content" definition in the Gtmhub Service Agreement) it processes on behalf of its clients. Gtmhub is committed to ensuring that client Content cannot be accessed by anyone who should not have access to it. In order to ensure the operation of Gtmhub services certain Gthmhub employees need access to the systems which collect and process client Content. For example in order to diagnose and resolve a service outage. Those employees are not allowed to use their access rights to view client Content unless it is utterly necessary to do so. Gtmhub uses access logs and audit trails to ensure that any access to client Content is tracked.
All Gtmhub services and applications are deployed in a virtual private cloud behind a hardware and software firewall configured to allow only HTTPS traffic. Cross-service communications use a separate private network physically isolated from any public traffic.
All communication with the Gtmhub application, the Gtmhub website, communication between Gtmhub services, backups and log shipping happen over secure connections that use TLS 1.2, encrypted and authenticated using AES_128_GCM, and uses ECDHE_RSA as the key exchange mechanism. The Gtmhub team closely monitors the security community and is committed to promptly upgrading our services in response to new vulnerabilities as they are discovered.
Authentication and Authorization
All service available endpoints are secured using a third-party SOC 2 Type 2 certified authentication vendor www.auth0.com. User credentials and Single Sign-On trusts are stored, managed, and secured by their solution. Authentication tokens are signed and verified with SHA-256 grade cryptographic hash function.
All Gtmhub employees' accounts for the corresponding cloud providers are enforced to use two-factor authentication. No Gtmhub infrastructure nodes (virtual machines, droplets, pods, containers, etc.) are directly accessible under any protocol of communication like SSH, FTP, HTTP outside of the corresponding virtual private hosting environment.
Backups and Client data storage
For redundancy reasons, all backups are transferred to an external datacenter without leaving the boundaries of the corresponding location (Europe or the United States of America) using a secure socket connection under TLS 1.2 cryptographic protocol and finally encrypted at rest.
Gtmhub uses a centralized logging system for all of its environments - both pre-production ones and the production environments. Logs are transferred using secure socket connections using TLS 1.2 cryptographic protocol. This logging system contains information for the healthy operation of our services and their availability. The logging system does not aggregate any client Content. The information collected is used by our staff for troubleshooting and resolving service outages.
Product security practices
New features, architecture design changes, and functionality updates go through the security assessment process that includes SANS top 25 and OWASP top 10 vulnerabilities detection. Additionally, any code change is peer-reviewed tested before it is merged into our codebase.
If you believe that you have found a security vulnerability in any Gtmhub service, please contact us at [email protected]. For additional security you can encrypt the communication with the PGP key below. All reports will be investigated in a timely manner.
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----