Technical Security Measures
Invicti is in the business of online security. We take the issues of data security and privacy very seriously. And we know that security is important to you too.
The nature of our business at Invicti requires us to collect data on you, your customers and your business. In the interests of full transparency, and to ensure that we abide by UK and GDPR regulations, we believe that you have a right to know about the precautions we take in how we process, transfer and store your data.
Data Center Security
This is what Amazon AWS commits to in order to protect our server. This list includes some additional precautions:
- We applied custom security policies to restrict access to our data and assets.
- We configured public and private subnets to secure our virtual private cloud.
- We store EC2 backups and S3 assets, which are encrypted using the AES-256 algorithm.
- We configured custom firewall rules and applied IP restrictions for remote connection to our EC2 instances. Only authorized people have remote access to our assets.
Security From Data Loss and Corruption
- All databases are kept separate and dedicated to prevent corruption and overlap. For example, we keep Invicti’s On-Demand database on a separate server. We have multiple layers of logic that segregate user accounts from each another. In addition, the Invicti Enterprise team does not have access to customer data unless our clients enable it and they have the correct permissions.
- Account data is mirrored and regularly backed up offsite.
Application Level Security
- All pages – from our desktop to mobile website – pass data via TLS (Transport Layer Security, HTTPS), without exception.
- User account passwords are hashed. Even our own staff can’t view them.
- Lost passwords cannot be retrieved. They must, instead, be reset. Passwords can only be reset by Admin. A reset-link is sent to the user’s registered email address.
- Login pages and logins have brute force protection.
- API endpoints have rate limits.
- External security penetration tests, both automated and manual, are conducted regularly.
Internal IT Security
- All staff keep their PC secure with disk encryption against theft, Evil Maid attacks and other risks that an attacker can abuse after gaining physical access.
- All staff have PGP keys and use encryption when transmitting sensitive information over public networks.
- All staff must use 2FA for their accounts, without exception.
- A dedicated internal security team constantly monitors our environment for vulnerabilities.
Internal Security by Education and Checks
- We continuously train employees on best security practices, including how to identify social engineering attacks, phishing scams and hackers.
- Employees on teams that have access to customer data – such as technical support and engineers – undergo criminal history and credit background checks prior to employment.
Security for Customers
- Some changes (like enabling and disabling 2FA, changing the password, accessing API token) to customer accounts require re-entering of passwords, and trigger email notifications to the account owner.
- 2-Factor Authentication is made available to our customers.
- In addition to email notifications, customers can view a log related to all activity on their account.
- Using our IP Restrictions feature, customers can enable specific IP addresses access to Invicti Enterprise.
- Our legal team works with our developers and engineers to make sure our products and features comply with relevant international spam and privacy laws.