Platform security

From Tygron Support wiki
Revision as of 11:17, 19 April 2022 by Bobby@tygron.nl (talk | contribs)
Jump to navigation Jump to search

(Update) In december 2021, a major security vulnerability was detected in Log4J that is used by many Java applications. Tygron uses Java but has always preferred to use its own logging system and is therefore NOT affected. We have also verified that none of the underlying libraries are using Log4J. We will continue to actively monitor this and other vulnerabilities.

Tygron observes due care with regard to your privacy and the security of your data. Our policy is based on the General Data Protection Regulation (GDPR) and we have taken any possible technical and organisational measures to protect (personal) data. Please click here to find out how Tygron applies safety and data protection. Our starting points are:

  • The licence is applied by the user to work in a private domain protected by a password. This domain is managed by the user who determines who has access and to which project.
  • The personal data entered by a user under domain management are limited to the data required to execute the license agreement: the ability to provide support and the ability to inform about the maintenance and upgrades to the Platform. This includes the name and email address (needed to be able to obtain a password).
  • The telephone number is optional.
  • Users can indicate whether they do not want to receive emails about maintenance and upgrades.
  • These data are visible to the user under ‘my account’ in the Platform.
  • A username can be deleted by the domain manager and by Tygron (at request).
  • Within the project, it will be visible when a user and which user has worked on what version. Projects can be removed by the user or (at request) by Tygron.
  • Upon termination of the license agreement, the associated personal details and projects will be deleted; backups will be deleted after two years.
  • Personal data are not shared with other processors without permission.
  • The Tygron Platform only loads open data for projects by default. Although possible, it is not necessary for the user to add data to projects in advance. Data added by a user to projects and the domain are sent encrypted and stored securely (see ‘technical measures’).
  • Back-ups of projects are retained for 2 years and can be removed by Tygron at request. Data in the backups can also be given access to at request. Early removal of projects and access to data involve costs that are proportional to the hours to be spent for this purpose.
  • Tygron is only a data processor with regard to data in projects and cannot and will not use them for its own purposes. Consequently, processing only takes place on the basis of the license agreement.
  • The owner of the data (i.e. not Tygron) is responsible for ensuring that the use of such data is lawful.
  • We do not engage subprocessors by default. Should this ever be an item, then this will only take place with written permission.
  • Tygron observes strict confidentially with regard to handling data. If a user wants Tygron to look into projects, for example to provide support, then Tygron’s support department cannot gain access to the project until the user has requested Tygron’s assistance.
  • Tygron employees who have access to the source code in view of their position and consequently also to project data, have entered into an additional confidentiality contract.
  • The Tygron Platform runs in the data center of Dataplace. This ultramodern Tier III data center, located well above sea level, is in line with the further professionalization of the Tygron Platform in terms of security of supply, stability, safety and sustainability. We use an encrypted SSL connection (see below for details).
  • The software is offered as SaaS. This means that the software is and continues to be Tygron’s property and that access as well as support and maintenance can be obtained through a license. The Tygron Platform consists of a Client and Server Application.
  • The data (projects) are saved and edited in the server application. The customer retains the title to such data at all times. The customer can retrieve/delete the data and assign rights via the Client Application.
  • A log is kept in which is visible when projects are active. This is necessary to see if a user stays within the agreed license limits.
  • Statistics are kept on how users use the application. These logs are immediately anonymous and are only for improving the software and support purposes.
  • Automatic crash logs can sometimes also contain personal data, these are only used to improve the software and then deleted.


Tygron Platforms security is organised as follows:

  • Industry standard SSL encryption for sensitive data in connections.
  • Tygron uses the latest and most secure TLS version 1.2. All communication is encrypted via the latest SSL versions (including internal backups and maintenance access to the machines themselves).
  • Implementing two-factor authentication is in a advanced state of preparation. We would love to hear if you are interested in this.
  • Brute-force intrusions are automatically recognized and there is the option to immediately disable logins.
  • The server’s authenticity is verified via an industry-standard certificate protected with SHA-256 hashes.
  • The application is largely built in Java, fully owned by Tygron and uses a number of widely used industry standard open-source components.
  • Both client and server contain various security mechanisms to prevent reverse engineering, manipulation or hacking.
  • Access to the server (and stored data) is only possible via encrypted protocols such as SSH and SFTP. The same applies to automatic backups via SFTP.
  • We have a firewall that blocks everything except specific IP addresses.
  • Our server is built with our own hardware and runs entirely under our own management at the Hague (NL). The machines are locked in a datacenter where only Tygron staff have physical access.
  • The servers run Ubuntu Linux, one of the most secure operating systems and standard for many web servers.
  • The datacenter also has firewalls that can repel any attacks.
  • User passwords are stored via hashes, this is the legal standard (GDPR) and prevents the original passwords from being retrieved if they end up with persons that should not have access to them.
  • The customer has his own domain in which users have different rights to be able to adjust, start up, view, etc. projects.
  • Every action performed by a user is verified for rights.
  • Each domain has an admin account where these rights can be set. By default, Tygron support has no access either; all we can do is view the domain with the project owner’s permission.
  • Errors as well as illegal login attempts are reported to Tygron directly via the server through an encrypted connection. Should a data breach nevertheless occur, the customer will be promptly notified and action is taken in accordance with legislation.

Back up and restore strategy

  • Every week a backup of the customer data is made on the production server of Tygron. This backup is made to an external server at another location in the Netherlands. Project backups are kept for a maximum of two years but can be deleted earlier on request.
  • Version management is made possible in our software to enable the recovery of a project in case of customer-specific problems.
  • The user can save multiple versions of the same project to easily revert to a previous version in case of problems.
  • In the event of calamities such as a disc crash, the customer data will be restored using the external backup, whereby data is only lost up to a maximum of a week.

Organisational measures

  • Data leaks are reported to Tygron’s management and documented by COO. Data leaks are reported to the parties concerned in accordance with legislation. The COO is responsible within Tygron for taking actions in accordance with the GDPR.
  • Before the date when the GDPR became into force, the preparatory steps as published on the website of the Dutch Data Protection Authority were examined. These steps were discussed with Tygron’s management and the team in May/June 2018.

Tygron’s existing processing agreements have been verified and comply with the GDPR:

  • The Freshdesk application is used for our support helpdesk.
  • Freshdesk has its own privacy notice in accordance with the GDPR:

Freshworks

Tygron does not store the data entered in Freshdesk elsewhere and does not use it outside the application either.