Platform Security
CleverMaps Platform (product) security is a priority to us and therefore we list here the main implemented controls to ensure platform and organization. If you would have any security concerns or questions feel free to send them to security@clevermaps.io.
CleverMaps organization security
Regular audit and security certifications
To improve internal security practices, CleverMaps conducts every year internal and external security audits. Both cover multiple areas - HR, IT, Software Development, Operations, Physical Security and more, where CleverMaps actively mitigates identified non-conformities and implements opportunities for improvements. These activities help to maintain CleverMaps security posture at the highest possible standard. You can download and review our security certificates at Drata.
Organizational security controls & documentation
As a part of CleverMaps organizational security, the internal security team implements various security controls to fulfill security requirements defined by ISO 27001 and SOC 2 frameworks. The SOC 2 Type II and the CleverMaps' ISO 27001 certifications only emphasize our Commitment to protecting our customer's data and facilitating a safe and secure Location Intelligence ecosystem.
Specific controls can be online reviewed at the Drata Trunscenter page including the security documentation.
Product development process security
To ensure that security has been integrated into various areas of our development process CleverMaps has deployed the following practices:
Secure coding practices - Our engineering team has defined set of security coding practices that they follow during the development. These practices are based on OWASP Cheat Sheet Series .
Responsible disclosure - External parties can access the CleverMaps Responsible Disclosure page to report any vulnerability in the product.
Code vulnerabilities mitigation - Engineering continuously focuses on reported vulnerability mitigations and keeping our environment up to date. More information can be found in our Release Notes.
Security training - The development team regularly passes security training focused on Secure development practices
OWASP top 10 reviews - The engineering team has yearly dedicated time to independently check our product for OWASP TOP 10 vulnerabilities, which typically means stuff such as XSS, CSRF, input validation etc.
Penetration testing - independent penetration testing is conducted by an external company on a yearly basis to detect security vulnerabilities in our product.
CleverMaps platform security
Access control (Authentication, Authorization & Accounts)
Platform access control is mainly described at User roles and Permissions where the capabilities to integrate with SSO and Identity Providers are also well documented. Internally we use Okta solution to authenticate our customers with the possibility of multifactor authentication and various password settings, but customers can decide to use their own IdP.
Physical security
Our infrastructure is located in the externally operated data centers designed by Amazon Web Services (AWS). AWS data centers follow the best practice in physical and environmental security that is based on the AWS Shared Responsibility model, including the controls against fires, power loss, and adverse weather conditions. Physical access to data center facilities is highly restricted and they are monitored by professional security personnel.
Both of our offices are equipped with physical access management control, solid physical barriers and some also with additional controls such as video surveillance systems.
Logging and Monitoring integration
CleverMaps platform has well documented model of application events logging - Audit log events , that can be used by our customers to track the actions of their users. CleverMaps also understands that the most convenient model to read the logs is in the customer-defined SIEM solution and therefore all logs are available via REST API connector.
Website protection
We ensure the security of our public website Clevermaps.io as well as our access portal - CleverMaps Platform. We regularly scan our sites with SSL Server Test (by Qualys SSL Labs) and Hardenize to ensure that the web is securely configured.
Infrastructure security
Various security best practices have been implemented on CleverMaps infrastructure level, e.g.:
Data storage encryption - Customer data are encrypted at rest, we are using AWS KMS keys for data encryption. The encryption was verified during our security audits.
Data separation - Customer data are stored in separate databases. We offer support of separation: separate database, dedicated database server, on-premise database server or single tenant deployment.
Network - Testing and production environments are strictly isolated on the level of separate AWS accounts. Network infrastructure use VPC networks, security groups, and elastic load balancers to isolate different types of infrastructure.
Transfer encryption - All incoming or outgoing HTTP traffic is encrypted using TLS >= 1.2. Certificate are managed by AWS Certification manager and regularly updated.
Authentication and authorization - REST API requests are authorized using OAuth2 Bearer tokens. The authorization tokens are provided by the Okta authorization server. Each request is processed by a zero-trust principle. This means that each access request (no matter if it is internal or external) is fully authenticated, authorized, and encrypted before access is granted.
Rate limiting & Web Application Firewall (WAF) - Web Application Firewall has been deployed in the AWS environment together with reasonable rate limiting of received requests over the network to prevent (D)DoS and other most common attacks.
System hardening and Technical reviews - to support the infrastructure we follow the CIS AWS Foundation Benchmark 1.2.0 that we compare our security posture against and review our compliance regularly. In addition, we conduct quarterly initiatives to detect infrastructure vulnerabilities and report them for mitigation.
Software security
Our systems run the latest stable versions of Ubuntu or Amazon Linux and our applications run on the latest stable version of Java. We monitor documented threats from public security research databases (such as the Common Vulnerabilities and Exposures catalog), and we run automated vulnerability scanners at regular intervals across our infrastructure and before each deployment. Our developers receive training for secure software development, including Open Web Application Security Project guidelines. All major code changes are subject to a multi-point code review with specific attention paid to security.
Backup, Continuity and Recovery
In CleverMaps we understand the importance of our systems and data being available to our customers. For this purpose, we have in place:
Backup procedures (BPs) - suitable backup procedures for data, infrastructure and configuration have been established. The whole process has been gradually simplified thanks to the fact that CleverMaps is using the “Infrastructure as a Code” in AWS.
Business Continuity Plans (BCPs) - internally we have investigated the most critical business processes and for such we have created Continuity plans. These describe the alternative processing or service operations in case of business process outage and links to Disaster Recovery plans that shall be used for business process recovery (especially data and systems).
Disaster Recovery Plans (DRPs) - as a part of Business Continuity and Disaster Recovery CleverMaps has elaborated the Disaster recovery plans for critical business systems and the stored data. In case of data unavailability or system outage, the DR plans are started for fast system recovery.
All parts, BPs, BCPs and DRPs are regularly tested.
Privacy of customer data
Customer data privacy is handled based on our CleverMaps Privacy Notice.
Customers are not allowed to store any PII within the CleverMaps platform. The PII processing considers mainly customer contract and contact information.