Security Policy

15 February 2021

This Carriyo FZ-LLC (“CARRIYO” or “We”) Security Policy is a policy governing the internal security processes under the terms of the Terms of Service (“Agreement” or "Terms") between CARRIYO and the users of CARRIYO’s Services (“You” or “Client”). Unless otherwise provided herein, this Security Policy is subject to the terms of the Agreement and capitalized terms will have the meaning specified in the Agreement. We reserve the right to update this Security Policy from time to time upon notice to you.

​

SECURITY COMMITMENT

CARRIYO endeavours to provide all its clients with state of the art security measures that will allow its software solution to be a safe and risk free solution. This document will be updated as frequently as necessary to include additional information as the landscape surrounding software development and service evolve. This document describes the guidelines and processes that drive CARRIYO’s security framework.

​

DEFINITIONS

​NA

ORGANIZATIONAL SECURITY

We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Security Awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy. We provide training on specific aspects of security that they may require based on their roles.

User Roles and Processes

• Unique and individual user accounts across all users (internal and external) for full accountability of activities in our systems.
• Active logging mechanisms in all production instances for full traceability of activities in the system.
• Hardened password setting policies with automatic expiration date.
• Self-service password creation and recovery (no passwords over email policy).
• Expiration policy on authentication tokens for CARRIYO API.
• oauth 2.0 standard for authentication.
• Our authentication layer is managed using Auth0 (https://www.auth0.com ).
• Controlled access to critical production components to specific users who require access, with periodic review and removal of obsolete access entries.

PHYSICAL SECURITY

At workplace

Carriyo makes extensive use of remote work. Our team is distributed across multiple locations. To ensure compliance and security of all assets, we implement a cloud first policy where all applications, documents and company information is securely stored in the cloud and only accessible by individual employee accounts and implementing dual factor authentication.

By following this policy we remove any sensitive information from our own physical workplace locations and mitigate the impact of physical breach of access to any working location. 

Furthermore, Carriyo does not make use of local data centers or servers as a company policy.

At Data Centers

Carriyo is a cloud native product and exclusively makes use of Amazon Web Services (AWS) Data Centers to host and run all applications. At the moment, Carriyo hosts all applications in the Europe (Ireland) Region and across several AWS Availability Zones.

The AWS Data Centers offer a set of native capabilities such as Redundancy, Disaster Recovery, Availability, Employee Security, Logging, Monitoring and Management which allows us to offer the highest standards of physical security and control over our services.

To know more about AWS Datacenters please visit the following link:

https://aws.amazon.com/compliance/data-center/

INFRASTRUCTURE SECURITY

Network Security

Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Carriyo's production infrastructure.

In addition, direct access to our cloud infrastructure and resources is restricted via VPN to ensure only legitimate access is allowed. Moreover, our web applications and APIs are also protected via WAF (Web Application Firewall) to protect your web applications from common web exploits such as SQL injection, cross-site scripting and other common threats.

Network Redundancy

Network redundancy is inherited from our use of AWS as our infrastructure provider:

“Data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.”

DDOS Prevention

Carriyo makes use of AWS Shield to protect its services from DDOS attacks.

AWS Shield protects from 96% of the most common attacks today, including SYN/ACK floods, Reflection attacks, and HTTP slow reads. This protection is applied automatically and transparently to our Elastic Load Balancers, CloudFront distributions, and Route 53 resources which serve Carriyo’s front-end application stack.

More on AWS Shield can be found in this link:

https://aws.amazon.com/blogs/aws/aws-shield-protect-your-applications-from-ddos-attacks/

Server Hardening

All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.

Intrusion Detection and Prevention

Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. 

At the application layer, we have a WAF which operates on both whitelist and blacklist rules.

At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any. 

Carriyo also uses AWS GuardDuty. Amazon GuardDuty is an intelligent threat detection service that provides customers with an accurate and easy way to continuously monitor and protect their AWS accounts, workloads, and data stored in Amazon S3.

DATA SECURITY

Data Isolation

Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.

The service data is stored on our servers when you use our services. Your data is owned by you, and not by Carriyo. We do not share this data with any third-party without your consent.

Encryption

At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES) by default. The data that is encrypted at rest varies with the services you opt for.

In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate that all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access,API access,our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally for email, our services leverage opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Data Retention and Disposal

We hold the data in your account as long as you choose to use Carriyo. Once you terminate your Carriyo account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. In case of your unpaid account being inactive for a continuous period of 90 days, we will terminate it after giving you prior notice and option to back-up your data.

The data in your active account can be extracted at any time using the standard secured features provided by Carriyo:

• Via the User Interface CSV/Excel extract (see https://help.carriyo.com/ )
• Via the Carriyo API (see https://carriyo.docs.stoplight.io/ )
• Via the Carriyo Data Stream feature - an optional data stream extract made available in a AWS S3 bucket only accessible by you.

Data Masking

Carriyo also offers the possibility to mask sensitive data if so required by a customer. This option allows users to retain data for longer periods for reporting purposes without increasing the risk of sensitive data being captured  by malicious actors.

IDENTITY AND ACCESS CONTROL

Single Sign-On (SSO)

Carriyo offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. When you sign in to any Carriyo service, it happens only through our integrated Identity and Access Management (IAM) service. We also support SAML for single sign-on that makes it possible for customers to integrate their company's identity provider like LDAP,ADFS when they login to Carriyo services

SSO simplifies the login process,ensures compliance,provides effective access control and reporting, and reduces risk of password fatigue, and hence weak passwords.

We use Auth0 as a provider for all our authentication services. (https://auth0.com/ )

Multi-Factor Authentication

Not provided at the moment.

Administrative Access

We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing account data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.

OPERATIONAL SECURITY

Logging and Monitoring

We monitor and analyse information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability. 

Detailed audit logging covering all update and delete operations performed by the user is available to the customers in every Carriyo service. Some of these logs are available to users on a self-service basis within the Carriyo User Interface for additional transparency.

Vulnerability Management

We use cloud platforms for email communication and internal document storage which have embedded up to date anti virus mechanisms and we do not rely on local devices for email and document storage. 

Our applications run on a thin client browser and don’t require installation or local storage in user devices, making them resilient to vulnerabilities. The Carriyo applications run on AWS infrastructure with embedded vulnerability management.

Carriyo is built with components that are updated every time a new version is made available to fix known vulnerabilities.

Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.

Malware and Spam Protection

We use cloud platforms for email communication and internal document storage which have embedded up to date anti virus, malware detection and spam protection mechanisms and we do not rely on local devices for email and document storage purposes. 

Carriyo supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic. For more information check our Anti Spam Policy.

Backup

We make use of native backup mechanisms in AWS to perform a near real time backup of all primary databases in production environments. Carriyo stores transactional data in AWS Dynamo DB & AWS Aurora DB tables, both of which support continuous incremental backups providing a point-in-time recovery, fulfilling our recovery point objective (RPO) of less than a few seconds for transactional data. AWS Aurora DB automatically maintains 6 copies of your data across 3 Availability Zones and will automatically attempt to recover your database in a healthy AZ with no data loss in the case of any disaster situation. 

In addition to our standard backup mechanisms, we also offer an optional CARRIYO Data Stream service to customers who wish to have their data streamed into a dedicated and isolated AWS S3 Bucket. This feature has the main objective of providing our customers with the ability to easily export data automatically into their own reporting tools and other systems, but can also be used as a resilient backup mechanism.

Disaster Recovery and Business Continuity

Carriyo is hosted on AWS. It was designed from the ground-up as a cloud-native platform. As a result, objectives such as availability, scalability and redundancy are at the heart of the Carriyo architecture. 

As a key design principle, where possible we prefer to use fully managed services provided by AWS. This provides us almost infinite scalability along with built-in high availability, fault-tolerance and failover. 

At Carriyo we target a recovery point objective (RPO) of less than an hour and a recovery time objective (RTO) of less than six hours. All of our data and services are hosted in multiple Availability Zones (AZ) to provide automatic resilience and recovery and to help protect our data and code against individual machine or data center facility failures.

Data Recovery: Carriyo stores transactional data in AWS Dynamo DB & AWS Aurora DB tables, both of which support continuous and near-real-time incremental backups and automatic failover mechanisms providing a point-in-time recovery of less than a few seconds for transactional data. 

AWS Aurora DB automatically maintains 6 copies of your data across 3 Availability Zones and will automatically attempt to recover your database in a healthy AZ with no data loss. 

Service Recovery: Carriyo relies on microservices to process, integrate and serve data. These microservices either run on the AWS Serverless Lambda environment or the AWS Containerised ECS Fargate environment. Both of these environments are deployed in highly available, fault-tolerant infrastructure spread across multiple Availability Zones, and provide protection against individual failures.

In the advent of a disaster situation that affects one or more but not all of the availability zones of the AWS Region being used, the Carriyo platform will automatically and seamlessly failover using the mechanisms already described in this document.

In the case that all availability zones in the AWS Region being used are unavailable, the Carriyo technology team will initiate a predefined Disaster Recovery Plan to migrate  and deploy all application components  and customer data to a new available AWS Region in as little time as possible and targeting the already specified RPO and RTO.

Crisis Management 

In case of disaster, once known by our teams, all customers will be informed by our Customer Service team according to our Incident Reporting policy (see next section) and as per the Carriyo SLA Policy.

Simultaneously, our engineering team will be recovering the failing components of the system and restoring access to all users. Updates will be communicated by our engineers to our Customer Service team every 3 hours until the problem is resolved.

Our Customer Service team will be informing customers of the situation according to our Incident Management policy (see next section)

INCIDENT MANAGEMENT

Reporting

We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.

We respond to the security or privacy incidents you report to us through support@carriyo.com, with high priority. 

For Severity 1 and Severity 2 incidents that affect multiple users and accounts, we communicate each account’s Organisation administrator registered with us as soon as the problem is identified and commit to send subsequent updates on the resolution progress every six hours unless otherwise stated in the first communication. 

For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation Administrator registered with us).

Breach Notification

As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay. 

VENDOR MANAGEMENT CONTROL

We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting ad-hoc reviews of their controls.

CUSTOMER CONTROLS FOR SECURITY

So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that you as a customer can do to ensure security from your end:

• Choose a unique, strong password and protect it.
• Use multi-factor authentication when available
•  Use the latest browser versions, mobile OS and updated mobile applications to ensure they are patched against vulnerabilities and to use latest security features
• Exercise reasonable precautions while sharing data from our cloud environment.
• Do not submit any information to Carriyo that is not strictly needed to conduct your business operation.
• Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating Zoho or other services you trust.

CONCLUSION

At Carriyo we take your data security seriously and strive to provide a resilient and trustworthy service to all customers. If you have any concerns or suggestions for us to improve our security policy, please contact us at  support@carriyo.com.