This post outlines the security and privacy considerations in the CommuniBee Suite.

Privacy

Our philosophy when it comes to privacy is to collect as little information as is necessary (typically only email addresses as usernames), and to never share that information with any 3rd party except for the purposes of enhancing our service. For details, view our privacy policy.

Server Security

• API and database server are running Ubuntu 18.04.
• Server runs UFW firewall locked down with IP whitelisting as needed for developers to access.
• All communications are done over HTTPS with RSA 2048-bit encrypted SSL.
• Database can only be accessed by API, blocked by firewall rules from anything but API.
• Database is running the latest version of Microsoft SQL Server, and API is running the latest .NET Core runtime for Linux.
• All database access uses Entity Framework to mitigate SQL injection attacks.
• All passwords used for accessing the server are strong, randomly generated strings.
• Database is backed up daily.
• User passwords are properly hashed so they cannot be extracted and reverse engineered.

 

Application Security

Organizations using CommuniBee can control who can join their online community and what content they have access to. These permissions can be granted by an admin within the organization through the dashboard.

Additionally, the ability to join can be configured in the app with three levels:

User access can be controlled by admins from the dashboard at any time, revoking or granting access to members of the community.

We use signed JWT tokens for authentication with anti-forgery checks.

Payment Security

For payment processing, we use PCI-compliant Stripe Connect as our default payment provider. With a paid CommuniBee Suite subscription, you can also choose from PayPal, Square, or Stripe as optional payment providers.  All of which are recognized worldwide, and trusted by millions.

When a payment is made in CommuniBee, a dialog is presented to collect payment information (credit card #, expiry date, CVV), and that information is passed directly to the payment provider in use along with the email address of the account. It is important to note that the credit card information is never passed to or stored on CommuniBee’s servers.

Infrastructure Security

We use Digital Ocean for hosting the server and database. Digital Ocean is one of the leading providers of hosting services. The servers we use are hosted on Canadian soil in Toronto.

For details on Digital Ocean’s data security practices, visit: https://www.digitalocean.com/legal/data-security/

An excerpt from that page:

Security controls provided by our datacenter facilities includes but is not limited to:

• 24/7 Physical security guard services
• Physical entry restrictions to the property and the facility
• Physical entry restrictions to our co-located datacenter within the facility
• Full CCTV coverage externally and internally for the facility
• Biometric readers with two-factor authentication
• Facilities are unmarked as to not draw attention from the outside
• Battery and generator backup
• Generator fuel carrier redundancy
• Secure loading zones for delivery of equipment

If you have any questions regarding your security and privacy, don’t hesitate to contact us

– The CommuniBee Team