We process and analyze the most valuable data in existence: yours. As such, it is important to us to explain to you exactly how we ensure the security of your data. And, if our explanations are not enough, please don’t hesitate to ask questions!
Security guaranteed on every level
The various issues related to data security and reliability are at the heart of Mobapi’s development strategy. These aspects have been integrated throughout the development process and at every level of our software.
1/ Collection of data
Mobapi collects data in two different ways:
- Directly from the Cloud, using our Mobapi.COLLECT connectors;
- Via a hardware agent: the Mobapi.BOX (for more information, please read our article).
Collection from the Cloud uses the encryption standards that are imposed by data providers.
Let’s take the Sigfox connector as an example; it builds the connection between Sigfox’s Cloud and Mobapi. It is encrypted using an SSL/TLS certificate (SHA-256 using RSA encryption and a 2,048-bit key). To ensure that it is secure, this connectivity has undergone a process of certification: https://partners.sigfox.com/products/mobapi.
The same level of security is applied to all our connectors with third-party Cloud services.
The Mobapi.BOX hardware agent is inserted at the heart of infrastructure deployments to collect data as close as possible to the source. They are then sent to Mobapi.CORE, our Cloud-based data processing module.
It combines the following characteristics:
- High availability: Mobapi.BOX is deisgned to operate autonomously. For example, in the event of a connectivity incident, our module is capable of storing data gathered in a local buffer in order to transmit them once connectivity is re-established.
- Non-intrusiveness: Mobapi.BOX does not require any changes to the customer’s network hardware, as its network footprint is identical to that of a modern browser.
- High levels of isolation: to ensure optimal levels of security, Mobapi.BOX is isolated from public networks by the use of a latest-generation Netfilter firewall. This firewall is configured to allow only communications between the Mobapi agent and Mobapi.CORE.
- Confidential communications: All communication between Mobapi.BOX and Mobapi.CORE are encrypted using an SSL/TLS certificate (SHA-256 with RSA encryption and a 2,048-bit key).
2/ Hosting, processing and provision of data
When data arrives in the Cloud, it must be processed and stored securely.
Storage in our databases
Our databases are operated by Mongo Atlas, a longstanding provider of non-relational database services, and hosted in a “sovereign cloud” within national borders and hosted on infrastructure provided by AWS France (eu-west-3).
- Each database is isolated in its own VPC and is segregated per customer to ensure that information is fully isolated.
- Databases are organized in clusters for the purposes of replication and to ensure high levels of availability.
- Authentication and all exchanges between the Mobapi.CORE processing units and the databases are encrypted using an SSL/TLS certificate.
- Data storage is protected by “encryption at rest.” It makes use of AES256-CBC (Advanced Encryption Standard in Cipher Block Chaining mode with a 256-bit key) via OpenSSL.
- Finally, each database is linked to a dual backup mechanism: incremental backups on an ad hoc basis and complete backups each day.
More details about MongoDB can be found at: https://www.mongodb.com/cloud/atlas/faq#security.
Mobapi.CORE is built around a Docker micro-services architecture model (with stateless servers). Each service ismonitored and any incidents that may occur trigger an event and cause the relevant service to be restarted automatically. The combination of Docker architecture and AWS infrastructure ensures maximum levels of availability. Micro-services are installed using a flexible architecture with automatic adjustments to their quantity in response to exceptional increases in resources as a result of data processing.
All micro-services are isolated within a VPN (virtual private network). All hosted instances are secured by SSH hosting with a 2,048-bit private key. Each instance is also protected by a firewall so that it is only open to the strict minimum number of accessible services.
Amazon Web Services’ SLA guarantees monthly server availabilty of at least 99.99%.
For more information on Amazon Web Services, please refer to https://aws.amazon.com/fr/compliance/programs/
Provision of data
Data that is stored in Mobapi.CORE is then delivered using secure web APIs:
- TLS/SSL encryption (SHA-256 with RSA encryption and a 2,048 bit key)
- Combined username and password authentication
These APIs may be accessed via different systems such as alert systems or a monitoring dashboard in the form of a web application.
Web applications provided by Mobapi are based on the technical layer known as Mobapi.VISION. All communications between the web application and Mobapi.CORE are made using the APIs provided by Mobapi.CORE. These APIs use the TLS/SSL encryption standard (SHA-256 with RSA encryption and a 2,048-bit key) to ensure that data is transferred confidentially.
Users’ secure access to Mobapi.VISION applications is based on:
- Hashed passwords using the bcrypt feature, which is used with a large number of iterations
- Confidential communications using TLS/SSL encryption
- Encryption at rest of the MongoDB databases.