Data
Last updated - January 30, 2023
Do you follow the EU privacy laws?
Apigale is able to demonstrate compliance with the seven protection and accountability principles outlined in Article 5.1-2 upon request. (What is GDPR?)
How does Apigale manage data, protect customer data and govern customer data?
There is a clear separation between private and public data models, which makes it clear which data is shared with other users, and which is accessible only by the data owner, which implemented the “security by design“ principle. Access to any data requires authentication, authorisation to access is determined by the defined processes.
What are the types of data stores/databases/ data repositories used in the system?
The Apigale uses PostgreSQL as the primary database and datastore. For the Server Deployment, access to the PostgreSQL database can be arranged depending on client security for data modelling and/or extraction.
What type of data might you store?
All API Specifications, API Endpoints, Environments, and Client Applications are stored in the database. Secure items such as passwords are all hashed on entry and are not human-readable (AES-256-GCM/Salted Scrypt).
What happens to data stored when customers terminate their usage of Apigale?
Cloud: all the data is removed from the Apigale Servers.
Server: As the server is most typically hosted and managed by the customer, when the service is terminated the customer can destroy the machine and all data, extract backups and destroy the data or retain the data as is.What cryptographic protocols are used to secure client data at rest?
256-bit AES using GCM cyphers is used to prevent tampering & environment variables at rest.
Web Security & Authentication
Last updated - January 30, 2023
Can you describe how Apigale adheres to common security principles?
The system is secure by design. Multiple security perimeters are implemented for publicly accessible and private data. for private data, all requests are authenticated and authorised. Applications and domains also need to be registered within Apigale to function with the API.
Cookies are secure, HTTPS and only transmitted on the relevant paths upon request. A valid authentication token will be checked against the domain, application and user upon any request. All input is whitelisted and models are validated before being saved to the database.
Do you undertake ongoing periodic information security testing activities such as vulnerability testing, penetration testing, and source code reviews against industry best practice guides?
Yes. Basic security testing is part of the release pipeline. Extended security testing is done regularly both in and out of production. Customers are free to conduct necessary penetration testing on the software once in production as a part of their internal security standards and auditing processes. These reports are often provided to Apigale for review, to date no vulnerabilities or risks have been reported.
How does Apigale provide least-privileged role-based access control?
The solution has four user levels, these are System Administrators, Tech Support, Authenticated Users and Guest Users.
- System Administrators have full access and control over the system configuration (via Web UI only).
- Tech Support can see the status of entities and events.
- Authenticated Users have full access to their private data and read-only access to “public” data.
- Guest Users have read-only access to “public“ data.
If no access level is assigned users are unable to log in.
For Server deployments, Infrastructure access is provided by a customer.
Can you outline how Apigale encrypts data at rest/ in motion? Which key/ certificate management technologies are used?
Standard SSL/TLS is used for data-in-motion. Data at rest is encrypted with 256-bit AES using GCM cyphers to prevent tampering If local accounts are created, passwords are salted and then hashed using a salted script (SSO is preferred).
What security measures are enforced internally upon staff about customer information?
We use a range of standard tools for development including, but not limited to; GitLab, Jira and Confluence. All internal services are secured by SSO with 2-Factor Authentication enforced. No client or customer information, credentials or otherwise are stored locally on staff hardware. All internal code and client information access is the least privileged role/group-based.
Infrastructure
Last updated - January 30, 2023
Is media (i.e. HDD, SSD, USB, Tape, etc.) destroyed securely when it is no longer needed for business or legal reasons?
Cloud: N/A.
Server: This is managed by the client under standard IT Practices, we do not store any client data outside the Production/ UAT/ DEV Environments.
Third Parties
Last updated - January 30, 2023
What information, if any, does Apigale share with third parties?
Apigale as the software solution and business do not share any customer information with third parties.
What are the available interfaces in which Apigale can interact and/or connect with third-party services?
Apigale can interact with other systems using REST API over HTTPS. The solution favours secure protocol over others as such protocols like FTP are not used.
How does Apigale allow third-party data visualization tools to interact with your data store?
Cloud: N/A
Server: Apigale can pass data logs to data visualisation tools such as Splunk or a web standard data visualization tool such as Power Bi or Google Analytics via API. Sample integrations may be available upon request for all the above third-party services.