NFTCONOMY Technologies provides NFTCONOMY as a 'Software as a Service' (SaaS) product to its users to solve their NFT analytics problems. Security is a key component in our offerings, and is reflected in our people, processes and products. This page covers topics like data security, operational security, and physical security to explain how we offer security to our customers.
We regularly review procedures and policies in NFTCONOMY to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. We also do periodic internal audits to facilitate independent audits and assessments by third parties.
All workstations used NFTCONOMY run up-to-date OS versions and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by NFTCONOMY's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle.
NFTCONOMY controls access to their resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of ID cards. They provide employees, contractors, vendors, and visitors with different ID cards that only allow access strictly specific to the purpose of their entrance into the premises.
All workstations issued to NFTCONOMY employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by NFTCONOMY's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting NFTCONOMY's production infrastructure. All software is tested before being transferred to our client's servers running their installation of NFTCONOMY.
We monitor firewall access with a strict, regular schedule. AWe reviews all changes made to the firewall. Additionally, these changes are reviewed every three months to update and revise the rules. We also monitor the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using our various tools and notifications are triggered in any instance of abnormal or suspicious activities in our production environment.
All the components of our platform are redundant. We use a distributed grid architecture to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and NFTCONOMY services will still be available to them. In case of an on-premise installation, this responsibility will lie in the hands of the client.
We additionally use multiple switches, routers, and security gateways to ensure device-level redundancy. This prevents single-point failures in the internal network.
We use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.
Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. At the application layer, we run a firewall that enforces various network policies.
At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented via pfSense with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.
Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with code analyser tools, vulnerability scanners, and manual review processes.
Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross-site scripting and application layer DOS attacks.
Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer. Users don't have to worry about data isolation in the case of an on-premise cloud.
The service data is stored on our servers when you use our services. Your data is owned by you, and not by NFTCONOMY. We do not share this data with any third-party without your consent.
In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally for email, our services leverages opportunistic TLS by default. TLS encrypts and delivers content securely, mitigating eavesdropping between servers where peer services support this protocol.
We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.
At rest: Customer data at rest is encrypted using 256-bit Secure Hashing Algorithm (SHA-2). We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.
We hold the data in your account as long as you choose to use NFTCONOMY Services. Once you terminate your NFTCONOMY user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. In case of your account being inactive for a continuous period of 120 days, we will terminate it after giving you prior notice and option to back-up your data.
NFTCONOMY offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. When you sign in to any NFTCONOMY service, it happens only through our integrated Identity and Access Management (IAM) service.
SSO simplifies login process,ensures compliance, provides effective access control and reporting, and reduces risk of password fatigue and hence weak passwords.
It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user's password is compromised. Currently, an email-sign in and otp verification system only is supported.
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.
We monitor and analyse information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.
Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every NFTCONOMY service and can be obtained from us through a super admin.
We actively scan for security threats using a combination of certified third-party scanning tools and with automated and manual penetration testing efforts. Furthermore, we actively review inbound security reports and monitor public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.
Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.
We scan all user files using our automated scanning system that's designed to stop malware from being spread through NFTCONOMY's ecosystem. Our custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns.
NFTCONOMY supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic. We also use our proprietary detection engine for identifying abuse of NFTCONOMY services like phishing and spam activities. Additionally, we have a dedicated anti-spam team to monitor the signals from the software and handle abuse complaints.
Application data is stored on resilient storage that is replicated across data centers. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.
We have power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations such as support and infrastructure management.
We have an automated incident reporting system that notifies you via mail. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will provide you with necessary evidences regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through firstname.lastname@example.org, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us).
As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay.
If you happen to find any bugs or loopholes in our system that may lead to a breach of security or data leak, please submit the issues here. If you want to directly report vulnerabilities to us, mail us email@example.com.
We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization's process and security measures by conducting periodic reviews of their controls.
So far, we have discussed what we do to offer security on various fronts to our customers.Here are the things that you as a customer can do to ensure security from your end:
Security of your data is your right and a never-ending mission of NFTCONOMY. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, feel free to contact us at firstname.lastname@example.org.