Skip to main content

Data security on Springly

  • Updated

Before starting

Hosting a large amount of data on behalf of associations, Springly makes every effort to provide an excellent level of security and service.

Here, in a few lines, are the technical details applied.

Defining the SaaS model

The service offered operates on a "SaaS" basis, for "Software as a Service". This means that customers don't buy software to install on their own servers but benefit from the availability of our resources, services, and expertise on our servers. The main advantages are as follows:

  • Rapid deployment and production of the solution ;
  • No technical knowledge is required on the part of the customer to take advantage of the service;
  • Maintenance-free for the customer;
  • Continuously available improvements.

Find out more: https://en.wikipedia.org/wiki/Software_as_a_service

The subscription includes all updates required to keep the existing system running, as well as future enhancements to the tool.

Hosting

We are customers of Microsoft France , whose servers are located in France and Europe.

PaaS (Platform as a Service)

Our sites are hosted on Microsoft France PHP instances.

In the same way that our customers outsource software management, we entrust them with the technical management and maintenance of our servers, so that we can concentrate on our core business: software publishing. We believe that each of us (customers, Microsoft and ourselves) should do what we do best and not spread ourselves too thin.

In the event of a surge, Microsoft's infrastructure switches on more servers to ensure the availability of our service. The resources allocated to our instances are dedicated: this means we are not impacted if another Microsoft customer experiences a spike in visits.

Personal data

Springly complies with the General Regulation on the Protection of Personal Data (RGPD), which came into force on May 25, 2018.

Your data belongs to you. Springly is therefore not a "Data Controller", but a "Data Processor" (within the meaning of the RGPD).

As such, Springly ensures the security of personal data right from the product design stage, and provides advice and warnings in the event of a leak.

Personal data on non-subscription platforms is deleted or anonymized at the association's request.

We undertake never to pass on your details to a third party for commercial purposes. As such, we invite you to discover our privacy policy.

Images and documents

Images and documents uploaded to our platform are stored at Amazon in their S3 offering with the highest level of redundancy.

Versioning is active on every bucket used: in other words, every time we update or modify a bucket, we keep the previous records (or versions). This ensures protection in the event of accidental deletion of resources.

Amazon objects are not public: an ephemeral key must be supplied to access a resource.

Banking data

Each customer has his or her own online account with Adyen, our payment service provider.

At no point do the financial flows pass through our own accounts: the funds are stored with the payment partner, along with the various supporting documents needed to maintain the accounts.

Adyen provides us with a statement of all transactions carried out on the various accounts.

Here too, we rely on the expertise of a banking professional.

Access to their system is restricted to a white list of IP addresses.

About Adyen

The payment provider is fully PCI DSS 3.2 compliant as a Level 1 provider. This is the main security standard governing the payments industry.

As a payment institution, the payment provider is supervised by the Dutch Central Bank and complies with the requirements of the European Payment Services Directive (EU Directive 2015/2366).

The payment provider has anti-DDOS solutions (malicious attempts to make a site unavailable) and uses secure, encrypted storage methods.

Find out more on this site .

Domain name

We register domain names on behalf of our customers within the domain portfolio of our reseller account with Gandi. At any time, we can release the domain to transfer full management to a customer who wishes to do so. https://www.gandi.net/en 

Security

Bug Bounty

We have a private program at Bounty Factory where we invite software developers to look for security holes in the software.

Online payment

We activate the 3-D Secure system on all our payments, with no minimum threshold. This system, designed by Visa and Mastercard, aims to limit fraud by ensuring at each payment that the card is used by its true holder. https://en.wikipedia.org/wiki/3-D_Secure

User login

Each user can activate a 2-step authentication mechanism. This mechanism is mandatory for all our employees. https://en.wikipedia.org/wiki/Strong_authentication User passwords are not stored in cleartext, but hashed and salted. The principle of hashing is to store a fingerprint of the password, this fingerprint being calculated from a function whose inverse is unknown: we can't find the password from its fingerprint. To connect the user, the fingerprint of the password entered is calculated and compared with the stored fingerprint. Thus, in the event of our database being hacked, passwords are not accessible to the attacker. https://en.wikipedia.org/wiki/Hash_function

Connection between computer and server

We provide our customers with SSL certificates to enable connection to the site via the secure HTTPS protocol. These certificates are supplied by Comodo, a recognized authority. They use 128-bit keys exchanged using the ECDHE_RSA method and the TLS 1.2 protocol. We no longer use the SHA-1 algorithm for hashing, in favor of SHA-256.

Email

Mailgun is used to send emails.

Every email sent by the platform is signed with the DKIM standard to avoid any risk of usurpation. We have also adopted the SPF standard to combat spam. https://fr.wikipedia.org/wiki/DomainKeys_Identified_Mail

Unit Testing

Each feature is broken down into small bricks, each of which is tested by a so-called unit test. We ensure that, for a given input, the function's output corresponds to what is expected. We don't release updates to production until all tests are in the green. https://en.wikipedia.org/wiki/Unit_testing

Bug solving

In the event of a bug on the platform, our technical teams receive a detailed report so that they can correct the bug even if the user who suffered the bug does not report it. These reports are read several times a day to be as responsive as possible.

Code versioning

We use GIT as our versioning tool. As well as recording any changes made to the code, this tool allows you to roll back an update if any bugs remain undetected during our tests.

- - -

Useful links :

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk