Security FAQ
Vcheck is committed to protecting your data with enterprise-grade security practices. Our platform is SOC 2 compliant, and we follow strict protocols to ensure the confidentiality, integrity, and availability of your information.
Below are answers to common questions about how we secure your data, handle sensitive information, and maintain compliance. Click any question below to learn more.
Why should I trust the security of this platform?
At Vcheck we give highest importance to portal's security. We have employed following mechanisms to make sure you can trust the security of our platform
Encryption Protocols:
We employ robust encryption protocols (HTTPS/SSL) to secure data transmission over the portal. This ensures that your information remains confidential during transit.
Access Controls:
Strict access controls are implemented to ensure that only authorized individuals have access to sensitive data. We have implemented RBAC (Role Based Access Control) using signed JWT tokens infrastructure for this.
Data Protection Measures:
Your data is treated with the utmost care. We have implemented measures to safeguard against unauthorized access, loss, or alteration of your information.
Regular Security Audits:
Our portal undergoes regular security audits. This helps identify and address potential vulnerabilities proactively.
Compliance with Standards:
We adhere to industry standards and regulatory requirements for SOC2 concerning data security and privacy. This ensures that our practices align with the best and most current security standards.
Incident Response Plan:
In the event of a security incident, we have a well-defined incident response plan in place. This includes immediate action, investigation, and transparent communication with affected parties.
Transparent Privacy Policies:
Our privacy policies are transparent and easily accessible. We are committed to being clear about how your data is used, stored, and protected.
User Education and Awareness:
We invest in educating our users about security best practices. Resources and guidelines are provided to help you enhance your own security practices.
Reliable Technical Infrastructure:
The portal is built on an AWS eco systems for reliable and secure technical infrastructure. We prioritize AWS best practices to ensure uninterrupted service.
User Feedback and Improvement:
We value user feedback and continuously strive to improve our security measures based on user insights and evolving security threats.
What measures are in place to protect my data?
Your data is treated with the utmost care. We have implemented measures to safeguard against unauthorized access, loss, or alteration of your information.
All PII data (Personally identified Information) – i.e. DOB, SSN, Subject Information and reports has been encrypted in transit and at rest in database.
We have employed automated testing framework to ensure no issues exist and regular Role Based Access Control testing for safeguarding against unauthorized access.
We have employed continuous backup using AWS RDS feature PITR (point in time recovery) to protect against any data losses for per second recovery.
We have employed audit trail of important fields to keep track of change history to protect against alteration of your information.
How is user authentication handled?
User authentication is a critical aspect of our security infrastructure, and we implement several measures to ensure the secure verification of user identities. Here is an overview of how user authentication is handled:
Username and Password:
Users are required to have email address as their username and strong, secure passwords.
Passwords are hashed and stored securely using industry-standard cryptographic algorithms to protect against unauthorized access.
Token-Based Authentication:
For all browser to backend communication, we are using token-based authentication.
Tokens are time-sensitive and provide an additional layer of security by minimizing the risk of session hijacking.
OAuth for All Internal & Admin users:
We have implemented OAuth for internal users and admin sections of portal for secure and standardized authentication.
External access is blocked using Secured private network.
Account Lockout Policies:
To prevent brute force attacks, we implement account lockout policies.
After a certain number of unsuccessful login attempts, an account may be temporarily locked to protect against unauthorized access.
Session Management:
Sessions are securely managed to ensure that users remain authenticated while actively using the system.
Session tokens are encrypted and have a limited lifespan to reduce the risk of unauthorized access.
Audit Logs:
Authentication attempts, successful or unsuccessful, are logged for monitoring and audit purposes.
This allows us to identify and investigate any suspicious activity and provides transparency into who accessed the system and when.
Password Policies:
We enforce strong password policies, including requirements for minimum length, complexity, and regular password updates.
This helps prevent the use of easily guessable or compromised passwords.
Regular Security Audits:
Authentication mechanisms are regularly audited to ensure they meet current security standards.
Any vulnerabilities identified are promptly addressed to maintain a secure authentication process.
By employing these authentication measures, we aim to provide a robust and secure environment for users, protecting their accounts and ensuring that only authorized individuals have access to the portal. If you have specific questions or concerns about authentication, feel free to reach out to our support team for more information.
What access controls are in place to safeguard my information?
To safeguard your information, we implement robust access controls that regulate and monitor access to sensitive data. Here is an overview of the key access control measures in place.
Role-Based Access Control (RBAC):
Access privileges are assigned based on roles and responsibilities within each account.
Users are granted permissions specific to their role, limiting access to only the resources and functionalities necessary for their job.
Fine-Grained Access Controls:
Access controls are configured with granularity, ensuring that users have the minimum necessary permissions to perform their tasks.
Unnecessary access to sensitive information is restricted.
Access Approval Workflows:
Certain sensitive operations or data access requests may require additional approval.
Access approval workflows are implemented to ensure that higher-level authorization is obtained before granting access to critical information.
Data Segmentation:
Data is segmented based on sensitivity and user roles.
This helps compartmentalize information, ensuring that users can only access data relevant to their job responsibilities.
Audit Trails:
All access and modification activities are logged in audit trails.
This includes details such as who accessed the data, when, and what actions were performed.
These logs are regularly reviewed to detect and respond to any suspicious activities.
Time-Based Access:
Access to certain information may be time-restricted based on business needs.
For example, temporary access may be granted for file share and report share links and it is automatically revoked when no longer needed.
Encryption of Sensitive Data:
In addition to access controls, sensitive data is often encrypted i.e. Subject Info, DOB, SSN, etc.
Even if unauthorized access occurs, the encrypted data remains unreadable without the appropriate decryption keys.
Regular Access Reviews:
Periodic access reviews are conducted to ensure that access privileges remain aligned with current job responsibilities.
Any unnecessary or outdated access is promptly revoked.
Emergency Access Procedures:
In case of emergencies or unforeseen circumstances, there are defined procedures for granting temporary access to authorized personnel.
These procedures are designed to balance the need for access with security requirements.
By implementing these access control measures, we aim to ensure that your information is protected from unauthorized access and that access is granted only to those who legitimately require it for their designated roles and responsibilities. If you have specific questions about access controls or would like more detailed information, please feel free to contact our support team.
How is data transmitted secured?
The security of data transmission is a top priority, and we employ several measures to ensure its confidentiality and integrity. Here is an overview of how data is secured during transmission:
Transport Layer Security (TLS):
We use TLS, the industry-standard protocol for securing communication over the internet.
TLS encrypts data during transit, preventing eavesdropping and man-in-the-middle attacks.
The use of HTTPS (HTTP Secure) ensures a secure connection between your device and our servers.
Strong Encryption Algorithms:
Our system employs strong encryption algorithms to secure the data.
This includes the use of advanced ciphers and cryptographic protocols to protect against modern security threats.
Certificate Validation:
TLS certificates are used to establish the authenticity of the server and ensure that you are communicating with our legitimate portal.
Certificate validation mechanisms are in place to prevent potential security risks associated with invalid or expired certificates.
Content Security Policies (CSP):
Content Security Policies (CSP) are enforced to prevent the execution of potentially harmful scripts and mitigate the risk of Cross-Site Scripting (XSS) attacks.
This helps ensure that the content delivered to your browser is safe and secure.
HSTS (HTTP Strict Transport Security):
HSTS is employed to enforce the use of secure connections.
It instructs browsers to always use HTTPS, reducing the risk of users inadvertently accessing the portal over an unsecured connection.
Security Headers:
HTTP security headers, such as X-Content-Type-Options and X-Frame-Options, are implemented to enhance the security of web applications and protect against common web-based attacks.
Regular Security Audits:
Our security measures, including data transmission protocols, undergo regular audits to identify and address potential vulnerabilities.
This proactive approach helps maintain the highest standards of security.
By implementing these measures, we aim to ensure that your data is securely transmitted over Vcheck's platform, providing a safe and trustworthy environment for your interactions. If you have specific concerns or would like more detailed information about our data transmission security practices, please feel free to contact our support team.
Is my data encrypted at rest?
Yes, the security of your data is of utmost importance to us, and we take measures to ensure that your data is encrypted at rest. Here is an overview of how we protect your data while it is stored on our servers:
Encryption Algorithms:
We use strong encryption algorithms to encrypt your data before it is stored.
This encryption process ensures that even if unauthorized access to the storage infrastructure occurs, the stored data remains unreadable without the appropriate decryption keys.
Key Management:
Encryption keys are securely managed to prevent unauthorized access to the keys themselves.
Key management practices include regular rotation of keys, secure storage, and access controls to protect against key compromise.
Data at Rest Encryption:
At the infrastructure level, AWS S3 encryption is employed to encrypt the documents.
This ensures that all the documents are automatically encrypted, providing an additional layer of security.
Secure Storage Infrastructure:
The AWS storage infrastructure is designed with security in mind.
Access to Databases and S3 buckets is restricted, and measures are in place to detect and respond to any unauthorized attempts to access or tamper with stored data.
Access Controls:
Strict AWS access controls are implemented to regulate and monitor access to stored data.
Only authorized personnel with a legitimate need can access and manage the stored information.
Regular Security Audits:
We conduct regular security audits and assessments of our storage systems to identify and address potential vulnerabilities.
This proactive approach helps maintain the security of stored data.
Compliance with Data Protection Standards:
We adhere to industry standards and regulatory requirements concerning data protection.
This includes compliance such as SOC2 and other applicable data protection frameworks.
By implementing these measures, we aim to provide a secure environment for your data, both during transmission and while it is at rest on our servers. If you have specific questions or concerns about how your data is encrypted at rest, please do not hesitate to reach out to our support team for more detailed information.
What privacy measures are in place to protect my personal information?
Your personal information is safeguarded through rigorous privacy measures. We adhere to strict access controls, implementing role-based permissions and encryption protocols to secure data during transmission and storage. Regular audits, stringent authentication processes, and compliance with data protection regulations, such as SOC2, further enhance privacy.
Our commitment includes transparent privacy policies, user education on best practices, and continuous improvement based on user feedback. This comprehensive approach ensures the confidentiality and integrity of your personal information, providing you with a trusted and privacy-centric experience on our platform.
Does Vcheck's Platform comply with relevant data protection regulations?
Yes, it is designed and operated with a commitment to compliance with relevant data protection regulations. We prioritize adherence to standards and laws that govern the handling of personal data, such as the SOC2. Our compliance efforts include implementing privacy by design principles, robust security measures, transparent privacy policies, and mechanisms to honour data subject rights. Regular assessments, audits, and updates to policies ensure ongoing alignment with evolving data protection requirements. For specific details on how our portal complies with relevant data protection regulations, please refer to our privacy policy or contact our support team for further information.
What happens if there is a security incident?
For critical issues, the response team will follow an iterative response process designed to investigate, contain exploitation, eradicate the threat, recover system 8 and services, remediate vulnerabilities, and document a post-mortem report including the lessons learned from the incident.
How is the portal monitored for security threats?
Vcheck uses AWS native security and logging tools such as CloudTrail, CloudWatch, GuardDuty, and Security Hub. We also utilize a web application firewall (WAF), cloud security posture management (CSPM), cloud access security broker (CASB), and security information and event management (SIEM) solution to monitor and protect Portal cloud infrastructure.
How are software updates handled?
Software updates are crucial for maintaining a secure and reliable portal. Here is an overview of how we handle software updates:
Patch Management:
We maintain a structured patch management process to promptly address vulnerabilities and apply security patches.
This includes staying informed about the latest security advisories and proactively mitigating potential risks.
Regular Updates:
Software components, including the operating system, web servers, databases, and third-party libraries, are regularly updated to the latest stable and secure versions.
This helps ensure that the portal runs on the most current and secure software.
Test Environments:
Updates are tested in dedicated environments before being deployed to the production environment.
This helps identify and address any compatibility issues or unintended consequences of the updates.
Scheduled Maintenance:
Updates and maintenance activities are often scheduled during low-traffic periods to minimize disruption to users.
Scheduled maintenance windows are communicated to users in advance.
Automated Deployment:
Where applicable, automated deployment tools are used to streamline the process of rolling out updates.
Automation helps reduce the risk of human error and ensures a consistent update process.
Rollback Procedures:
In the event of unexpected issues arising from an update, we have rollback procedures in place to revert to a stable and known configuration.
This minimizes downtime and disruption.
Security Best Practices:
Updates are not only applied for feature enhancements but also to address security vulnerabilities.
Following security best practices, we prioritize the timely application of security-related updates to protect against potential threats.
Monitoring and Feedback:
After updates are applied, systems are closely monitored for any unusual behaviour or performance issues.
User feedback is also welcomed to identify any issues that may not have been detected during testing.
Compliance with Regulatory Requirements:
Updates are applied in compliance with relevant regulatory requirements, ensuring that the portal adheres to data protection and security standards.
By adhering to these practices, we aim to keep the portal's software stack secure, reliable, and up to date, providing users with a stable and protected environment. If you have specific questions about the software update process for our portal, please feel free to contact our support team for more detailed information.
Is there a process for keeping the system up to date with security patches?
Yes, maintaining the system's security through the timely application of security patches is a fundamental aspect of our operational processes. Here is an overview of the process for keeping the system up to date with security patches:
Vulnerability Monitoring:
We actively monitor security advisories, threat intelligence feeds, and vendor notifications to stay informed about potential vulnerabilities affecting the software and systems used in the portal.
Risk Assessment:
Identified vulnerabilities undergo a risk assessment to prioritize the severity and potential impact on the system.
This helps in determining the urgency of applying patches.
Patch Testing:
Before deploying patches to the production environment, they are tested thoroughly in a staging or testing environment.
This ensures that the patches do not introduce novel issues and are compatible with existing configurations.
Scheduled Patching Cycles:
We establish regular patching cycles to streamline the process.
This may include scheduled maintenance windows during low-traffic periods to minimize the impact on users.
Automation Tools:
Automation tools are employed to facilitate the efficient deployment of patches.
Automated processes help reduce human error and ensure a consistent and timely application of patches.
Rollback Procedures:
If a patch causes unexpected issues, rollback procedures are in place to revert the system to a stable state.
This minimizes downtime and disruption.
Compliance with Best Practices:
Security patches are applied following industry best practices, ensuring that the system remains in compliance with security standards and regulatory requirements.
Continuous Monitoring:
After patch deployment, continuous monitoring is maintained to detect any anomalies, performance issues, or potential security concerns that may arise because of the applied patches.
Incident Response Preparedness:
In the rare event that a security incident occurs despite patching efforts, a well-defined incident response plan is in place to address the situation promptly.
This process is part of our commitment to maintaining a secure environment for our users by proactively addressing potential vulnerabilities and ensuring that the system is fortified against emerging security threats. If you have specific questions about the patching process or the security practices of our system, feel free to contact our support team for more detailed information.
What steps are taken to educate users about security best practices?
Ensuring that users are well-informed about security best practices is a crucial aspect of maintaining a secure environment. Here are the steps typically taken to educate users about security:
Onboarding Training:
Unaccustomed users undergo onboarding training that includes an overview of security policies, guidelines, and best practices. This ensures a solid foundation for security awareness.
User Support and FAQs:
A user support system is in place to address queries related to security.
Frequently Asked Questions (FAQs) and troubleshooting guides include security-related topics.
Encouraging Reporting:
Users are encouraged to report any suspicious activities or security incidents promptly.
Reporting mechanisms are made easily accessible, fostering a culture of proactive security.
Can you provide an overview of the technical architecture of the portal?
Sure, we can provide a generic overview of the technical architecture of our web portal.
Client-Side (Frontend):
User Interface (UI): The frontend consists of the user interface, which users interact with. It is developed using web technologies such as HTML, CSS, and JavaScript. We have built our frontend frameworks using React JS and customized it with material UI components to enhance UI development and provide a responsive user experience.
Browser Compatibility: The frontend is optimized for latest versions of Chrome, Safari & Microsoft Edge, and Firefox. Lexical minimum requirement is as follows.
Chrome 49+
Edge 79+
Safari 11+
Firefox 52+
Server-Side (Backend):
Web Server: We are using Nginx in AWS ECS Container to handles incoming HTTP requests from clients. Under the hood we have utilised Django rest framework to cater user requests.
Database Server: Persistent data is stored and retrieved from a database server. We are utilising AWS Aurora PostgreSQL service for the same.
Application Logic:
APIs (Application Programming Interfaces): We are using RESTful APIs to enable communication between the frontend and backend components.
Security Layers:
HTTPS (TLS/SSL): Secure communication is ensured using HTTPS to encrypt data in transit.
Firewalls and Security Groups: Network-level security measures are implemented to control and monitor traffic.
Authentication and Authorization: User identity is verified through secure authentication mechanisms, and authorization ensures that users have appropriate access permissions.
Data Storage:
Relational Database Management System (RDBMS) or NoSQL Database: We are using AWS Managed Postgres DB.
Caching Mechanisms: We are utilising Django supported ORM for caching and faster data retrieval.
Infrastructure:
AWS VPC: We are using AWS VPC for private network infrastructure and deploying applications as ECS container in private VPC.
Cloud Services or On-Premises Servers: The portal is deployed on AWS Cloud.
Load Balancers: Load balancing distributes incoming traffic across multiple servers to ensure optimal performance and reliability.
Containerization and Orchestration: Containers (e.g., Docker) and orchestration tools (e.g., Kubernetes) may be used for efficient deployment and management of services.
Monitoring and Logging:
CloudWatch: All the logs from applications are pushed into amazon CloudWatch log service for tracking and troubleshooting purpose. Logs are masked any sensitive information or PII information.
Logging Services: Events, errors, and activities are logged for troubleshooting and analysis.
Monitoring Tools: Tools monitor system health, performance, and security in real-time.
Third-Party Integrations:
Email Server: We are using microsoft365 SAAS application.
CRM: We have used salesforce CRM integrated with portal.
External APIs: Integration with third-party services or APIs may be necessary for additional functionalities or data exchange.
Authentication Providers: Integration with external authentication providers (e.g., OAuth, OpenID Connect) for user authentication.
Scalability and Redundancy:
Database Scalability: Currently we are using Postgres RDBMS which can scale vertically.
Application Scalability: We have used AWS container which can be horizontally scaled. UI application also allow to scale horizontally.
Scalability Measures: The architecture may incorporate horizontal scaling, allowing the portal to handle increased traffic by adding more instances.
Redundancy and Failover: Redundant components and failover mechanisms ensure system availability in case of server failures.
Disaster Recovery:
PITR (Point in time recovery): We have PITR option which allows us to restore the previously taken backup in every 5 minutes interval.
Automated Backup: We have automated backup for every day so we can restore any of the snapshots from past 35 days.
Manual Backup: We are taking backup manually before any upgradation of applications.
Stateless Applications: Since all other applications other than database are stateless, we can easily deploy on any other region without any worrying.
What measures are in place to ensure high availability and reliability?
UI Application is deployed via Amplify so it will be high available by default. Backend Application is deployed via ECS in 2 different availability zone so it will be also high available. For Database we are using RDS in across 2 availability zones, so it is handles high availability if one zone is failed. Our application stack is deployed across 2 availability zones hence it is high availability and reliability for losing one availability zone.
Last updated