The Giraffe Platform is one hundred percent Google Cloud Platform (GCP) based and our security program is reliant on their recommended best practices and certifications. We make regular changes to our architecture and dependencies to comply with best practices.
We make use of their multi-zone redundancy, backups, encryption at rest and in transit, authentication management and logging, and our core database is backed up daily.
We have logging of user access to enable detection of cybersecurity events, and all incidents are documented and shared with our development team and then relevant customers as appropriate. We regularly make use of Google Cloud’s automated Threat Detection and Security Scanner features and fully comply with recommendations.
Data is secure at all times, and is encrypted both at rest and in transit as per the GCP encryption processes and standards, which includes the following:
At Rest:
- GCP provides users with several layers of encryption to protect customer data at rest in Google Cloud products. Google Cloud encrypts all customer content stored at rest, without any action required from the customer, using one or more encryption mechanisms.
- Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key. These data encryption keys are stored with the data, encrypted with ("wrapped" by) key encryption keys that are exclusively stored and used inside Google's central Key Management Service.
- All data stored in Google Cloud is encrypted at the storage level using AES256.
- Google uses a common cryptographic library, Tink, which incorporates our FIPS 140-2 validated module, BoringCrypto, to implement encryption consistently across almost all Google Cloud products.
- Consistent use of a common library means that only a small team of cryptographers needs to implement and maintain this tightly controlled and reviewed code.
In Transit:
- Google employs several security measures to help ensure the authenticity, integrity, and privacy of data in transit.
- Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but not necessarily encrypted.
- Depending on the connection that is being made, Google applies default protections to data in transit.
Currently, all our security policy is first and foremost based on Google Cloud best practices but we are currently working towards ISO-27001 certification.
Governance:
- An organisations data is wholly contained within a single 'Workspace' managed by the organisations administrator. The administrator has the sole right to provision users, teams and permissions to keep content secure.