Vueocity provides a hosted environment within Amazon Web Services (AWS) for our customers to create secure digital content sites. Our platform provides protection of both site-owner content and user data from theft, loss, or unauthorized disclosure.
Below is a summary of security architecture, practices, and measures for use in security assessments.
Vulnerability and Penetration Testing
Vueocity performs regular penetration tests and security reviews on code, configuration, and procedures.
Organizations requiring penetration test certification may perform their own scans on their Vueocity site(s). Please contact Vueocity before performing such testing. We'll need to add IPs involved in testing to our ban exemption list to ensure test coverage.
Passwords are only sent over HTTPS and are stored as PBKDF2 salted hashes. Vueocity staff do not have access to the passwords and cannot reverse engineer them.
Data is stored in the US-West2 region in AuroaDB. EC2 servers and Elasticache work with data when necessary. S3 and CloudFront are used with site-owner's content files and any uploaded images.
Vueocity uses Cloudfront and public-facing Application Load Balancer for all Internet traffic. No other AWS resources are accessible from the Internet. Normally all communication is over HTTPS. Some HTTP communication may be used for some non-sensitive traffic with CNAME alias sites.
When applicable, all payment processing occurs on partner platforms (PayPal, Stripe); no customer payment information is collected or stored on Vueocity.
Intrusion Protection and Monitoring
Some key steps Vueocity takes to actively prevent intrusion and monitor attacks:
- All data is stored, processed, and transmitted within AWS. With the exception of public-facing HTTPS endpoints described above, all AWS resources are locked down and inaccessible from the Internet.
- Platform passwords must be strong (site-owners can configure how strong) and automatic retry throttling is used in combination with lockout for failed attempts.
- Content access requires authenticated sessions and active user licenses (site-owners can make exceptions to this for free content).
- Sessions for both site and content access expire (length is configurable by site owner).
- 3 cookies are used for different session management, each one token based -- sensitive session information is stored on AWS and not exposed to the client.
- All system activity is actively logged, and any suspect activity is flagged for immediate human monitoring.
- Automatic banning of suspicious IPs occurs based on frequency of requests.
- Any system errors (e.g., code exceptions, misconfiguration) are captured and return basic generic error messages with no internal information.
- Only Vueocity staff with direct need have access to platform and AWS accounts. Usage of Vueocity admin accounts is logged.