The WhiteHat Security strategy is to mitigate risks while complying with legal, statutory, contractual and internally developed requirements. WhiteHat Security complies with General Data Protection Regulation (GDPR). WhiteHat Security secures data in a high availability ISO 27001 and SOC2 compliant data center.
WhiteHat infrastructure is located at Cyxtera’s SSAE 18 and IS0 27001 compliant data center (“data center”); the data center provides physical protection, monitoring, and redundancy:
- Secure building infrastructure – Server rooms are environmentally and physically independent.
- Process and procedure – Security guards manage physical and electronic monitoring; 24×7 static and roving patrols audited by interactive confirmation system.
- Surveillance – All passageways, entrances, and exits are recorded on videotape. Coverage is retained for 90 days.
- Zones – Secure zones provide low, medium-low, medium, medium-high, and high security zone segmentation in order to reduce instrusion risk.
- Redundancy – N+1 Redundant power supplies, chillers, and fire suppression maintain security.
- Authentication – Multi-level authentication methods including PIN, badges, and biometric scanners control access to individual security zones.
- Access – Data center employee access is based on job function and limited to applicable security zone.
- Background Checks – Personnel screening includes drug tests and background checks going back 7 years.
Data Center Network Traffic
All network traffic flows through network appliances that provide:
- High availability – Logical network topology designed for data assurance enables one network device to take over for another during unplanned failure or planned maintenance / replacement.
- Network intrusion and detection – Network traffic patterns analysis generates system alerts and dynamic traffic blocking when attack signatures are detected.
- Network Firewalls – Network firewalls permit granular control of network traffic and govern denied protocols, source, and destination IPs.
- Web Application Firewalls – These firewalls analyze web application traffic and dynamically block known attack patterns.
WhiteHat Security Technology and Processes
WhiteHat employs the following security technology and processes:
- Role based access is used to restrict access to customer data, error data, and results data.
- Results are strictly restricted to the user account. Results are not available to other users within the organization.
BRUTE FORCE ATTACK PREVENTION
- After three (3) failed attempts, CAPTCHA is triggered for each unsuccessful attempt thereafter to prevent a brute force DDoS attack.
DATA RETENTION AND DELETION
- No user data is retained other than the past five scan results.
- User files are deleted after each successful scan.
- In case of errors, error files are retained for 30 days for troubleshooting upon-request but set for auto-delete within 30 days.
- In Transit. Data from End-User to WhiteHat is transmitted over a secure connection.
- At Rest. All customer data including results, failed files retained for debugging and logs are encrypted at rest.
All successful and unsuccessful attempts to login (IP address, username, browser info) are logged for monitoring and forensic purposes.