Chippur’s Approach to Information Security
Chippur is a cloud first application that takes data confidentiality and security extremely seriously. That’s why Chippur is transparent with its approach to security, so you can feel safe while using Chippur’s products and services.
Philosophy
Chippur follows three principles in regard to security:
Lead industry standards and our competitors in cloud and product security
Always be open and transparent about how Chippur process, store, and use your data
Use all the latest tools and techniques as a cloud based product to ensure that all services are up to date.
Who has Access to your Data
As per Chippur’s Privacy Policy, Chippur does not sell or rent your personal information to third parties. Chippur will use your personal data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. We do not share your personal information to your employer without your expression permission. If you leave Chippur, we take the necessary steps to ensure the continued ownership of your data. Chippur operates under GDPR rules, and only collects the information that is needed to provide a personalised experience unique to each individual.
Where is your Data Stored and Processed
Hosted completely in Microsoft Azure, Chippur leverages Microsoft's industry leading tools to secure your data. All product data (including personal information) is stored in Azure SQL databases in SOC2 compliant data centres in Australia. Data in platform databases is encrypted at rest using Azure’s standard tools and replicated to a different Azure availability zone. Chippur automatically and securely makes backups of product data on a frequent basis and retains those backups for up to a year.
All Chippur data is encrypted in transit over public networks using TLS 1.2 using SHA-256 RSA TLS certificates. All traffic is filtered to allow only ports required for operation of Chippur and log all network traffic to ensure adequate security posture. All production servers are protected using Azure Web Application Firewalls on Azure Front Door, which automatically blocks attack traffic identified by Azure and includes DDoS protection.
Chippur will retain all data on the service for up to a year as per our standard backup retention policy. Customers can also request that their data be deleted at any point in writing. When we delete data, our cloud partner (Microsoft Azure) ensures that the drive is completely overwritten to ensure the data cannot be recovered by any means following NIST 800-88 Guidelines for Media Sanitation.
What Infrastructure do Chippur use?
Chippur’s entire infrastructure is hosted on Microsoft Azure. Chippur leverages this to achieve global infrastructure uptime, resilience, and scalability - this includes Azure’s monitoring services to dynamically scale required compute resources when needed. Azure provides 24/7 security monitoring of all of Chippurs infrastructure, including servers, storage resources, and databases.
Chippur has designed its infrastructure landscape to dramatically minimise the attack footprint that it is responsible for. Chippur’s entire infrastructure stack is deployed and run on PaaS/serverless products within Azure, which means that code is deployed securely to Azure environments that are managed and constantly monitored for vulnerabilities and intrusions by Microsoft Azure.
How is Chippur Designed to be Secure
Chippur is an API-first platform designed to be accessed securely over the internet from the Chippur web and mobile applications. All Chippur data is encrypted in transit over public networks using TLS 1.2 using SHA-256 RSA TLS certificates.
All APIs, except certain authentication/authorisation related endpoints, require authentication. Chippur’s API uses short-lived JWT token-based authentication.
How Often is Chippur Updated
Chippur aims to release new updates to the mobile applications each month but at some times this may be more frequent. Deployments to servers are just as frequent and automated right from Chippur’s codebase through a build environment using Azure DevOps. Production releases require manual approval by a senior staff member. In summary, updates to Chippur are an invisible non-event, you should never notice it.
Security within our Organisation
Chippur’s management inventory and document external IT systems, and their approach to security, using a confidentiality, availability, and data integrity matrix. All high-risk systems require MFA and Chippur staff operate under “paperless” office practices at all times.
The resilience of Chippur’s service is vitally important, processes and systems are designed to allow remote disaster recovery and business continuity processes at all times. There are no dependencies on physical assets or locations that Chippur maintains for the operation of our organisation.
Incident Management
Chippur considers a security incident to be any event that negatively affects the confidentiality, integrity or availability of our customer’s data, Chippur’s data, or Chippur’s services. Incident management plans establish the recommended organisation, actions, playbooks, and procedures needed to recognise, respond, escalate, and recover to an incident. Chippur promises to notify the appropriate individuals, customers, and/or organisations about any significant incident where personal data may have been exposed and/or accessed by an unauthorised third-party.
Any security vulnerabilities that are identified in production are raised to Chippur’s executive team. Fixes for most types of vulnerabilities and major issues can be expedited and deployed within an hour.
Got Questions? Contact us at support@chippur.com