Technical security information

  • Hosting

 

  • Encryption
    • All traffic to and from Infigo is encrypted (TLS v1.2)
    • Database and files are encrypted via industry-standard cryptography

 

  • Data ownership
    • Infigo assets and IP’s are owned by Infigo. Data uploaded to the platform by administrators or users would be within the terms and conditions of the customer platform

 

  • Data deletion
    • Any customer data can be deleted upon request. Once data has been deleted, it cannot be recovered. For transactional purposes and audits, some PII (order information, IP addresses) may stay within the system for longer.

 

  • Passwords
    • Passwords are stored as salted hashes in the DB to protect against rainbow table attacks.
    • Password policies can be configured for each platform individually

 

  • GDPR
    • Infigo is fully compliant with GDPR

 

  • Coding best practice
    • All SQL queries are parameterised
    • User input is sanitised and validated
    • User content is sanitised and escaped when displayed

 

  • Patching and change management
    • Change management is done as IaC and CaC
    • Event monitoring is in place (internal and external)
    • regular vulnerability scans are applied and identified issues remediated according to our SLA’s

 

  • Backups
    • We do perform regular backups based on the agreed T & C’s

 

  • Software development life cycle
    • Changes are developed on independent feature branches
    • Testing and approval are applied before merging the branches into the main branches
    • Separate environments are available for development, QA and preproduction
    • Once a release candidate is signed off, a deployment slot will be assigned

 

  • Penetration tests
    • Infigo does undergo regular penetration tests/ethical hacks
    • Clients can perform their own penetration testing at their own cost and with written permission by Infigo

 

  • Data
    • During development and investigation, we will use custom generated test data
    • If live user data is required to investigate an issue outside the production environment, we will get written permission first before this is performed. Data will be obfuscated as much as possible while still being able to reproduce the issue. We will provide written confirmation of deletion of the data once no longer needed.