Cyver is fully secure.
Your security and privacy are our top concern. Cyver strives to keep your data secure across all our services
The safety and security of your data is our top priority. The following comprises a summary of our actions and policies intended to guarantee the safety of your data with Cyver. Have questions or feedback? Reach out to us at email@example.com
Reliable in every aspect
Cyver uses Microsoft Azure to manage user data. All data is stored redundantly and automatically backed up. Our server architecture and network connectivity are fully redundant, meaning even if a hardware component fails, Cyver stays accessible. We maintain more than 99,6% uptime, which guarantees service continuity and offers quality assurance.
All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Microsoft Azure. Microsoft Azure provides strong security measures to protect our infrastructure and is compliant with most certifications. You can read more about their practices here.
Data center security
Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored. Microsoft understands the importance of protecting your data and is committed to helping secure the datacenters that contain your data. Microsoft has an entire division devoted to designing, building, and operating the physical facilities supporting Azure. This team is invested in maintaining state-of-the-art physical security.
Microsoft Azure runs in datacenters managed and operated by Microsoft. These geographically dispersed data centers comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. The data centers are managed, monitored, and administered by Microsoft operations staff. The operations staff has years of experience in delivering the world’s largest online services with 24 x 7 continuity.
Azure builds data centers in clusters in various countries around the world. Cyver’s data (including backups) are solely stored in The Netherlands. Azure is fully compliant with all applicable EU Data Protection laws.
Network level security monitoring and protection
Our network security architecture consists of multiple security zones. We monitor and protect our network to prevent unauthorized access using:
- A firewall that monitors and controls incoming and outgoing network traffic.
- An Intrusion Detection and/or Prevention (IDS/IPS) solution that monitors and blocks potential malicious packets.
- IP address filtering
- DDoS protection
We use Distributed Denial of Service (DDoS) mitigation services.
- Encryption in Transit: All data sent to or from our infrastructure is encrypted in transit using industry best-practices visa Transport Layer Security (TLS). View our SSLLabs report here
- Encryption at Rest: All user data (including passwords) is encrypted using battle-proof encryption algorithms.
Data retention and removal
Application security monitoring
We utilize technology to protect the privacy of our users and our website:
- Security monitoring to ensure application security visibility, identify attacks, and respond quickly to potential data breaches
- Monitor exceptions, logs, and detect application anomalies
- Collect and store logs to provide an audit trail for application activity
- Utilize open tracing and other monitoring in our microservices
Application security protection
Cyver utilizes security protection technologies and systems including:
- Runtime protection system to identify and block OWASP 10 and business logic attacks in real time
- Security headers to protect users from attacks
- Security automation capabilities to automatically detect and respond to threats targeting apps
Data Privacy and Usage
Cyver maintains all data within EU borders. We only use customer data to provide requested services. Data is not sold, rented, or disclosed to third parties in any way. We don’t mine or access data for advertising purposes.
Any data remains the property of the original provider. Cyver does not delete data without providing notice and the opportunity to export.
Business continuity and disaster recovery
Cyver backs up all critical assets following a schedule with a maximum 24-hour RTO and RPO. Backups are regularly tested to ensure a fast recovery in case of disaster. All backups are encrypted.
All connections to websites or services are protected via encrypted connections, such as the Secure Socket Layer (SSL) protocol. Cyver uses SSL-encrypted connections as a default, or the same level of encryption used by financial institutions to secure online banking transactions. Encryption is used on both external and internal connections. This ensures sensitive information is never sent or received as readable text. Cyver ensures a clear separation of data between customers.
Our developers work utilizing security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:
- Developers participate in regular security training to learn about common vulnerabilities and threats
- Code is regularly reviewed for security vulnerabilities
- Dependencies are regularly updated to prevent known vulnerabilities
- Static Application Security Testing (SAST) is used to detect basic security vulnerabilities in our codebase
- Dynamic Application Security Testing (DAST) is used to scan our applications
- Third-party security experts perform application penetration tests on a quarterly basis
We encourage everyone to practice responsible disclosure. Our bug bounty program offers rewards at our discretion, depending on the criticality of the reported vulnerability. It is available to individuals who comply with our policies and terms of service. Please avoid automated testing. Only perform security testing with your own data. Please do not publicly disclose any information regarding the vulnerabilities until we fix them.
Contact firstname.lastname@example.org to report vulnerabilities. Please include a proof of concept. We will respond to your submissions as quickly as possible. We won’t take legal action if you follow the rules.
Accepted vulnerabilities are the following:
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
- Code or database injections
This bug bounty program does NOT include:
- Logout CSRF
- Account/email enumerations
- Denial of Service (DoS)
- Attacks that could harm the reliability/integrity of our business
- Spam attacks
- Clickjacking on pages without authentication and/or sensitive state changes
- Mixed content warnings
- Lack of DNSSEC
- Content spoofing / text injection
- Timing attacks
- Social engineering
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Vulnerabilities requiring exceedingly unlikely user interaction
- Exploits that require physical access to a user’s machine
Account takeover protection – We monitor for breaches and actively block brute force attacks
Role-Based Access Control – Users can define roles and permissions on all our accounts for Role-based access control (RBAC)
Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support.
Cyver maintains a strict internal policy to prevent any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support. All employees sign a non-disclosure and confidentiality agreement when joining the company.