About Us
Security Whitepaper
Learn more about Connexus' approach to security and compliance, including details on organizational and technical controls.
Austin Thompson, Founder
Last updated September 18th, 2022
We understand how important security and compliance are, and we've worked hard to make sure that Connexus is secure. The security and protection of our customers' data is a top priority and this paper outlines our approach to security and compliance, and details the technical controls that keep your data safe.
What is Connexus?
Connexus is an agency that provides customized mobile and web applications for Market Centers built off of a framework, allowing for fast deployment of those solutions.
​
Applications are public by default, as agents both new and old access the application. All data is hosted security on the framework backend. Each connection made to Connexus is end-to-end encrypted over HTTPS. Connexus maintains very restricted access control policies for the live data, and apply industry standards for data at rest.
People
Security isn't just about making sure the right technology is in place. Connexus makes sure that we have the right people to build, maintain, and oversees the systems, as well as within the framework system. Although we have a small team, we are rigorous in making sure we hire the right people.
Privacy and Trust
Connexus has procedures in place that limit access to sensitive information and system access only to necessary staff. All staff members have individual credentials, and multi-factor authentication is mandatory for staff when accessing sensitive systems.
​
Connexus requires our tools and service providers to be as secure as our own systems. We insist any suppliers we use assert security assurances similar to ours, and we ensure their access to data is strictly limited to only what they require. We keep an up-to-date list of our service providers and Connexus' Privacy Policy publically available online.
​
Connexus uses a certified partner to handle all credit card information, and we do not store any PCI-DSS information ourselves. Our processor, Wave, is certified to Level 1 PCI-DSS, the most stringent level of certification available in the payments industry.
Physical and Network Security
All customer data, Connexus' servers, and the frameworks servers, are securely hosted on Google Cloud Platform (GCP) in the U.S. All of our users' data is being processed in the U.S.
​
GCP certifies their physical security with comprehensive compliance and controls, including allowing physical access to personnel with a validated business need, logged and monitored access, electronic surveillance and professional security personnel at all datacenter entry points.
​
GCP is accredited against multiple security industry certifications including ISO27001. More details are available from the GCP website.
​
Each and every connection made to Connexus or the framework is end-to-end encrypted over HTTPS. Connexus forces HTTPS for all services, including our public website. Customer data is stored in encrypted form using state-of-the-art encryption.
Penetration Testing
The framework uses specialist security consulting firms to complete penetration tests on their infrastructure. You can request the results of the latest penetration test by emailing austin@connexus.studio.
Operational Security
Far from being an afterthought, security is an integral part of Connexus' operations.
Access Control
For employees, all staff members have unique username/password. Access to all systems is role-based, with the principles of deny-by-default and least-privilege.
Change Management
Planning, analysis, and design are carried out amongst all developers at regular meetings. We make significant use of GitHub and Continuous Integration. CI runs automated tests and pushes to a staging instance of the framework, where it is tested for at least two days. After success, it is tested again using automated tests and requires manual clearance from a senior engineer to be released to production. User feedback and monitoring tools report back to the planning phase.
Vulnerability Management
The frameworks code is continuously checked against published security vulnerabilities. Patches for any security issue are evaluated and rolled out, via change management, as soon as possible.
Incident Management
Connexus and the framework rapidly investigate all reported security issues. In compliance with international regulations, we will inform all customers affected by an incident as soon as possible - definitely with the legally mandated notification period of 72 hours.
Failover and Backup
Automatic backups are built into the framework system. If a single server fails, another one will take over instantaneously. All data is backed up daily and stored encrypted. Should the worst happen - such as losing a data center - we can rebuild all framework data in a new location, and be fully operational within five days.
Application Security
Connexus is built with security-by-design.
Customer Data Confidentiality
User data in Connexus and the framework is strongly managed to ensure it remains confidential. We use the strong segregation mechanisms in GCP to ensure data does not leak outside of the frameworks control. All user data is stored in encrypted form, sandboxed and segregated from other users' data by the framework backend, which controls all access to stored data and checks and enforces permissions for every network request.
Secure Software Development
We do code reviews very seriously and heavily, it takes a significant portion of our development time, and we don't compromise on it. Opening a Pull Request kicks off unit and integration tests which need to be fully completed, and pass testing.
​
We use BuildKite as our Continuous Integration/Deployment service. The framework's code is hosted in GitHub private repositories, and we take advantage of GitHub's code review tool.
​
The framework's stack is React, TypeScript, and Node.js.
Regulatory Compliance
The framework is actively pursuing the American Institute of CPAs industry-standard cybersecurity program, SOC-2.