Security FAQ DRAFT
Last updated: February 8, 2023
Introduction
When onboarding enterprise clients, FareHarbor Account Managers often receive many of the same security questions from the clients’ IT departments, which end up getting forwarded to our Infrastructure and Engineering leaders for answers. To better equip AMs and other client-facing teams to be able to answer these questions themselves, we have created this document with what we believe to be a comprehensive list of commonly asked questions.
Sales Pitch
FareHarbor takes reliability very seriously. We have multiple application servers with automated failover, real-time replication to redundant database servers, and both real-time and snapshotted offsite backups across multiple physical locations in the United States (California, Ohio and Virginia). We’ve had 99.95% availability for scheduled uptime in 2022.
Authentication: Passwords, Multi-Factor Authentication and SSO
Currently:
- We do not support multi-factor authentication (MFA).
- We do not prohibit the reuse of user account passwords.
- We do not require users to change their password after a specified amount of time.
- We do not log user password history.
- We do not lock user accounts after a period of inactivity or a number of unsuccessful login attempts.
- We do not support logging in through SSO using solutions, such as Okta.
Certifications & Compliance (GDPR, CCPA, SOC)
GDPR
- Here is the client-facing help page with information about FareHarbor and GDPR.
- Our privacy statement explaining how we process data about website visitors and our clients that we are legally required to disclose under GDPR, CCPA and Virginia Privacy Act can be found here
- Support macros are available in Zendesk by searching for “GDPR” or “Data“.
- Questions regarding GDPR compliance should be submitted using the Legal Request Form.
Add SCEs/GDPR statement (for Sam)
CCPA
- Client-facing help page
- Public legal statements are available here.
- The email address and phone number referenced in FareHarbor’s Privacy Policy and Terms of Service are active and regularly monitored.
SOC Report
We do not have, and we are not scheduled to complete an SOC Type 1 or 2 report.
Database: Hosting, Locations, Structure & Security
Who is FareHarbor’s data storage company and where are their servers located?
FareHarbor data is stored in Amazon Web Services (“AWS”). AWS servers are located in the US (California, Ohio and Virginia). AWS is an ISO 27001-certified provider, which is a widely-recognized international security standard.
Note: Cardholder payment details are not stored in FareHarbor’s cloud infrastructure (hosted by Amazon Web Services (AWS)).
Does FareHarbor store sensitive customer data in AWS?
Customer data related to bookings (for example, ID photos or credit card info) or data that needs to be deleted after a certain amount of time should not be stored in FareHarbor, because Dashboards were not designed for this purpose and do not meet regulatory requirements for such storage. Additionally, even if some data is stored in the booking and is subsequently deleted, the data can be accessed in future by using history log.
What protections are in place to ensure the safety of customer safety in the event of malware or other malicious attacks?
FareHarbor has real-time replication to redundant database servers, and both real-time and snapshotted offsite backups across multiple physical locations in the United States (California, Ohio and Virginia). We use AWS RDS for that (so all data is stored only in AWS cloud). Backup is tested weekly. All data is encrypted in storage (at rest) using the 256-bit AES-GCM standard and in transit using TLS 1.2 or higher standard.
- We can quickly recover from ransomware and other attacks
- All our infrastructure lives in AWS and is deployed using Infrastructure as a Code methodology with Continuous Integration testing, which means we can quickly provision / deploy it and quickly patch existing vulnerabilities
- We have extensive monitoring of our infrastructure, including:
- Logging and alerting on requests in our network using tools like Splunk & Wazuh (SIEM system), and also anomalies detection with AWS GuardDuty, which allow us to act quickly on suspicious traffic and find a root cause of potential attacks.
- We can get help in case of attack
- As our services are hosted in and partially managed by AWS, we can get help from AWS in case of an attack.
- Where necessary, we are also in contact with Booking.com’s security team.
- We communicate any serious incidents via https://status.fareharbor.com. But of course in case of a serious cybersecurity attack (depending on scenario) we might choose to notify clients directly via other channels, due to confidentiality reasons.
In all places where user input occurs, the assumption is to not trust provided data and always sanitize it.
This is accomplished as a result of the following protections:
- Built-in sanitization mechanisms provided by our frameworks (Django, Angular), that protect against common code injection threats, such as XSS, SQL injections, etc.). Additional data validation and sanitization are added by our developers where needed (sanitization, validation, type checking, etc.).
The following controls are also in place for further protection:
- FareHarbor application code and code dependencies are scanned automatically, by Static Application Security Testing (SAST) tools for known vulnerabilities. We use a tool called Snyk for this purpose.
- FareHarbor also performs an annual authorized simulated [cyberattack on the system, called a penetration test that is outsourced to an external penetration testing company, in order to ensure we are secure against threats like code injections.
- We use AWS Web Application Firewall, that limits the amount of malicious data before it reaches the application itself.
Data shared with Software Partners such as Smartwaiver and Wherewolf (only when instructed to share such data by Providers)
The public Legal page describes what data we store and privacy-related matters and compliance. FareHarbor does not share any data with Software Partners unless a client specifically requests it.
All data shared with partners (such as Wherewolf or Smartwaiver) is encrypted while in transport via SSL/TLS. Furthermore, FareHarbor has put agreements into place with its Software Partners that ensure compliance with laws regulating the use and protection of both customers’ and clients’ data.
Backups and Testing
Backups and system snapshots
Backup frequency
Backups are performed daily across a wide variety of servers based on AWS configuration, and a snapshot of the backup is available for a period of 35 days. Live read-only replicas of the data are provisioned in a different geographic region.
Backup testing and accessibility
Backups are tested on a weekly basis via an automated script ensuring they are working correctly and are not corrupted. Backups are stored encrypted in AWS, and can be accessed by the FareHarbor Infrastructure team.
Database encryption: see Encryption
Encryption
All FareHarbor pages are protected by SSL using https:
- While at rest (data is in storage, all data is encrypted using the 256-bit AES-GCM standard.
- While in transit: Data while in transit is encrypted using the TLS v1.2 or higher standard.
For more information on the AES and TLS encryption standards, refer to this third-party article.
System uptime and availability
Real-time system status can be checked at anytime, by going to https://status.fareharbor.com. You can also choose to receive email updates from the website when available.
The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for FareHarbor systems are five (5) minutes each.
See Security Incident management for information on what FareHarbor has in place to prevent attacks and Denial of Service (DoS).
Data retention
Payment protection
Using Stripe provides a high level of security for payments
- FareHarbor doesn’t store sensitive payment data. This is done by Stripe via an API Integration. As a PCI-certified vendor, Stripe provides a high level of payments security, and it is also highly unlikely that both FareHarbor and Stripe would be infiltrated by malicious actors at this same time, keeping booking system security and payments with their data security as isolated as possible.
- Should there be any payment-related security incidents, FareHarbor will be in close contact with Stripe.
PayPal
The primary difference between Stripe and PayPal is that while FareHarbor uses direct access in Stripe to handle and manage transactions, FareHarbor has no direct access to money or transactions in PayPal. PayPal is the sole manager of transactions, and FareHarbor is built to display transactions made with PayPal, not handle and manage these transactions.
For a more detailed discussion about payment processors in FareHarbor, see this help page.
Controls before releasing to production
Infrastructure Security
Architecture
The general overview diagram of [FareHarbor architecture in AWS can be found here (in the FareHarbor Security Docs folder). It can be shared with the client upon request.
Monitoring
Security Incident management
Ransomware / attack response
Customers incident notification:
Software security testing” id=”security testing
TBD by Tomasz –
- text here
Resources and contact information for more information
Resources
Answers to questions and policies regarding legal or compliance issues can be found at https://fareharbor.com/legal. There are individual pages with information on privacy, cookies, data requests, Terms of Service, and more.
Employees only
Need more detailed answers to some of your technical questions? Refer to this page for information.
Contact for more info
- For clients: security@fareharbor.com
- For FH employees (in Slack): #security-questions
FAQ / Miscellaneous customer requests
Where should vendor security risk assessment questionnaires be sent?
Please post these questionnaires in the #security-questions Slack channel.
Do you have a dedicated Information Security team? If so, what is the composition and reporting structure?
No. Currently all Information Security tasks and inquiries are addressed together by the Security, Legal and Operations teams.
Requests for user activity reports
If a customer asks if we can provide a report showing which users ran which reports, this is not possible. We only track if a user ran a report. We don’t track which report(s), and also don’t track if they are downloading these reports.
Requests for a copy of customer data and privacy policy (for both end customers and clients)
Copies of customer data can be requested from a client on behalf of the end customer by a Dashboard user filling out the Data Request Web Form.
Providers can request deletion of customer data on an ad hoc basis, however FareHarbor does not yet have the technical capability to delete all customer data or implement retention periods. Customer data is the responsibility of the client, and not FareHarbor. Individual customer activity data is not something that FareHarbor can provide.
Internal-only content. Don't copy and paste to anyone.
These Admin Notes are here to provide FH Admins with more detailed and technical information that can be used when speaking with clients, but should not necessarily be published on the external-facing help page.
Requests for vendor security questionnaire completion
Some of our larger clients have security questionnaires that need to be completed before working with us. When a client requires answers to a security questionnaire, try to answer as many questions as possible before deferring our engineering team. Any inquiries related to Dashboard permissions, features, integrations, etc. should not be directed to the engineering team.
For answers to questions you are not able to answer using this FAQ, you can post in the #security-questions Slack channel.
- Please include:
- Company name
- Their question(s)
- Any relevant context
Note: This should be used for client security concerns and questions only.
FareHarbor employees’ access to customer data
Does FareHarbor require employees or third parties to sign non-disclosure agreements (NDAs) prior to accessing information systems or customer data?
- FareHarbor employees are not required to sign NDAs, but are bound to maintain the confidentiality and secrecy of all data and particulars about FareHarbor (and its group companies) under internal workplace confidentiality policies.
- Yes, FareHarbor has agreements in place with its that include confidentiality provisions. For information on the third parties that we work with, see our list of supported sub-processors.
- Support: For troubleshooting customer’s issues
- Engineering: if necessary
Cyber-insurance
We are covered by both cyber liability insurance and technology (errors & omissions) insurance under policies provided by Booking Holdings Inc. Access to details regarding these policies is limited to Management, Legal, and Security personnel. However, a Certificate of Insurance (COI) listing the details can be obtained if a client specifically requests it by submitting a Legal Request (including reason for needing the COI). The Legal team will then review the request and provide you with a copy to share with the client.