Poq App Information Security
This guide contains information about app security and poq's security practises.
SOC Compliance and Reports
Poq is fully hosted on the Microsoft Azure cloud platform. Poq only uses MS Azure for hosting the underlying Poq infrastructure. A document that describes all the compliance offerings included in that platform can be provided upon request.
For more information about SOC compliance of our hosting provider please also review https://www.microsoft.com/en-us/trustcenter/compliance/soc
PCI Compliance and Attestation
Poq has carried out a 'PCI DSS SAQ (Self Assessment Questionnaire) A'. This report can be provided upon request.
In summary:
- All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers (e.g. Stripe, Braintree, etc.)
- Poq does not electronically store, process, or transmit any cardholder data on merchant systems or premises, but relies entirely on a third party(s) to handle all these functions;
- Poq has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant.
ISO27001 compliance
Poq is fully hosted on the Microsoft Azure cloud platform. Poq only uses MS Azure for hosting the underlying Poq infrastructure. Attached is a document that describes all the compliance offerings included in that platform. The certificate can be provided upon request.
Azure Statement of Applicability
Poq has a Statement of Applicability for Azure. The statement can be provided upon request.
Regions And Data Centres
The main data centre regions used by the Poq platform are West Europe, East US, West US and Australia East currently.
Development Lifecycle
Poq uses a secure development lifecycle. Security and data protection considerations are first reviewed at the Solutions Design Phase, ensuring that there is provision for and agreement upon security standards and practises. This conversation typically involves the Solution Architect, Head of Engineering and Tech Leads from every function (Backend, iOS, Android, QA). Once this is agreed at the Solution Design Phase, the work required to implement the features is decomposed into User Stories as part of a delivery methodology called Scrum. Each User Story has mandatory Acceptance Criteria that determine when those stories can be considered 'Done'. As part of that planning process to define these Acceptance Criteria, the team reviews all data flows, encryption and communication protocols and storage of personally identifiable information, in order to identify the Acceptance Criteria for security that will eventually be tested and signed off in QA.
Security is defined as requirements within all software builds. Poq performs static code analysis for security compliance against the codebase. Complexity and test coverage analysis is done as part of the automated build and release pipelines.
All Pull Requests have to be approved by one other developer in the respective discipline (iOS, Android, Backend, QA).
QA is involved in all phases of the dev cycle to ensure quality considerations are incorporated from the design phase and Acceptance Criteria are agreed upon upfront.
iOS and Android Developers write their own unit tests which are run either as part of the build process. Backend developers write their own unit and integration tests which are run as part of a continuous integration pipeline. Test coverage is measured by CI server (Azure DevOps).
Test Automation engineers write integration tests which are run as part of every build and release for backend APIs and are run for every release for mobile apps.
Automated static code analysis provided by Github to regularly assess dependencies and feedback on any vulnerabilities published in the codebase. These are mapped into the backlog as user stories that are picked up by the respective dev teams and actioned as a priority.
Poq has a private GitHub account that employs 2-factor authentication. All secrets are kept securely in Azure DevOps.
Poq employs a policy of least privilege where access is concerned, and stringent onboarding and offboarding processes.
Poq makes extensive use of Azure's Security Centre, which uses AI to proactively monitor for unusual traffic patterns, intrusion detection, etc. Most Poq services are provided as Platform as a Service (Paas) through App Services and Functions, which are automatically patched and upgraded and do not expose OS-level functionality. More can be read about OS and runtime patching procedure and frequency on Microsoft's Website (https://docs.microsoft.com/en-us/azure/app-service/overview-patch-os-runtime). Azure Security Centre also has recommendations on optimal setup and configuration in line with PCI, ISO and SOC standards.
Poq is aware of W3C and other open standards and the recommended best practises. Tech leads look to incorporate these into our coding guidelines and 'play books' as required and enforce certain of these standards using tools like code linters and static analysis. As mentioned elsewhere, all transmission and storage implementations look to use strong encryption as a standard. OWASP Secure Coding Practises are referenced as part of the 'Developer Playbook' for our front-end and back-end development disciplines. Tech leads review the checklist for front end and back end systems on a bi-annual basis.
Staff Training
Poq undertook comprehensive GDPR training across the company ahead of the new legislation in May 2018, and continue to review those policies on a regular basis. We have a standard onboarding process for engineering staff that outlines and reviews our coding and security practises which incorporate the OWASP Secure Coding Practises.
Disaster Recovery and Business Continuity
Disaster Recovery and Business Continuity policy can be provided upon request.
Summary:
- Key business services are known and the data has an agreed backup and recovery strategy
- MS Azure was selected as it provides a “best of breed”, geographically robust, secure and scalable platform on which Poq can build its services.
- Pertinent data is stored long-term on a regionally distributed, secure, highly-reliable and redundant live system cloud architecture
- Poq also uses infrastructure automation tools such as Terraform to ensure consistent, version-controlled management of infrastructure configuration.
List of Reports That Can Be Provided Upon Request
Report | Description |
---|---|
Microsoft Azure Compliance Offerings | Includes compliance with SOC 1,2 and 3. |
Azure SOC 1 2020 Certificate | SOC Certificates |
Azure SOC 2 2020 Certificate Azure SOC 3 2020 Certificate Azure DevOps SOC 1 Certificate Azure DevOps SOC 2 Certificate PCI-DSS-v3_2-SAQ-A-rev1_1 | Attestation of PCI compliance Microsoft Azure, Dynamics 365, and Other Online Services - ISO27001 Certificate - 12.20.2019 | ISO27001 Certificate Poq Access Policy | Access Policy for all tools and services used by Poq staff and partners.