Uberall’s software-as-a-service solution is built around a security and privacy-first philosophy. Uberall’s robust data security measures, in conjunction with comprehensive audits of its applications, infrastructure, and networks ensure that client data is always protected. 1,000,000+ business entities (Locations) across the globe trust Uberall to manage their sensitive business and end-customer data. 

Compliance & Privacy

GDPR

Uberall is fully committed to protecting and respecting the privacy of its users and complies with applicable data protection laws, in particular GDPR.

To maintain continuous compliance with data protection laws an identified role has the responsibility to oversee and coordinate all privacy related endeavors within the Uberall group. 

At the same time Uberall is aware that sustainably ensuring data protection is a joint effort. Uberall’s employees undergo privacy trainings to ensure that all business units continuously challenge and optimize their activities under consideration of privacy aspects as well.

As part of the contractual provision of services, Uberall uses third parties as processors of personal data within the meaning of Art. 28 of the GDPR. An overview of such processors as well as Uberall’s technical and organizational measures under Article 32 (1) of the GDPR (TOM) can be found here . 

Infrastructure Security

Uberall is hosted entirely on Amazon Web Services (AWS) and leverages all of the platform’s built-in security, privacy and redundancy features to provide the highest standards of privacy and data security to customers. Each AWS Region is designed and built to meet stringent compliance standards, including ISO/IEC 27001:2013, SOC 1, PCI DSS Level 1. For detailed information, check the  AWS Compliance page. AWS states to be fully compliant with all applicable EU data protection laws. For more information regarding AWS security, please refer here.

• Network Security: AWS Network Firewall is used for essential network protection. Default-deny strategy is used to allow only mandatory traffic to go through.

• DDoS Prevention: AWS Shield offers multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic while allowing good traffic through. This keeps Uberall’s websites, applications, and APIs highly available and performing.

• Intrusion Detection & Prevention: Uberall uses AWS GuardDuty as a threat detection and continuous monitoring tool for its infrastructure. 

• All wireless networks are protected with WPA3-PSK.

• DMZ: Only balancers and bastion hosts are accessible from the internet; every other resource is inside a private VPC

Internal Security

• Single Sign-On: Uberallers connect to and use all internal tools and third-party services via Google Single Sign-On (SSO) to ensure minimal password security surface area
• MFA: All employees are required to use MFA for their Google account, and anomalous log-ins and events are monitored by Google Suite and monitored regularly by our IT team
• Password strength: We enforce strong password rules globally for Google accounts, and Google Suite adheres to industry-standard best practices in encrypting and salting passwords

Application Security

Role-Based Access Control

Uberall uses role-based access control policies to restrict system access to authorized users only. Customers can configure a granular level of access permissions across two dimensions - User Level, Feature Level. Routines are run regularly (weekly at least) to ensure there's no deviation from pre-defined expectations and policies. Learn More about User Access Control. 

Vulnerability Management

Here are a few salient facets of our vulnerability-handling approach:

• In-house security team to constantly scan Uberall’s core applications against the OWASP Top 10 security risks and resolve any discovered issues.
• Automated scans with OWASP ZAP to detect security vulnerabilities. Uberall servers are regularly patched with the latest security updates. (OS, Libraries, applications)
• Patching: For OS security patches, we have enabled unattended-upgrades so they are applied automatically. Libraries and applications are continuously scanned and upgraded manually as soon as vulnerabilities have been discovered and upgrades are tested.
• Regular SpotBugs, Sonarqube, and CodeNarc scans to monitor our code repositories and to help us enforce coding standards and best practices.
• Intrusion Detection System (AWS GuardDuty). Continuous monitoring of AWS network traffic and workloads for malicious or unauthorized activities. 

CSRF

All POST requests are checked for CSRF token before processing the request.

Cross-Site Scripting XSS

All user inputs are properly encoded and sanitized when displayed. Uberall has enabled Content Secure Policy for an added layer of security to mitigate Cross-Site Scripting XSS and data injection attacks.

SQL Injection

Uberall uses ORMs and performs server-side validations to avoid SQL, NoSQL, OS, and LDAP Injection attacks. 

Logging & Monitoring

• Uberall has adopted appropriate tracking measures to ensure accountability of performed operations and to monitor and analyze any anomalous or suspicious events.
• Uberall maintains logs for all information gathered from services, network traffic, all logins, access control failures, server-side input validation failures, and administrator activities, to name a few. 
• These logs are monitored and analyzed in real time to help identify potentially malicious or unauthorized activity.
• All log file information is replicated in a central database to prevent loss or manipulation and to aid with the lifecycle management of audit logs.
• Uberall uses AWS GuardDuty for threat detection and for continuous monitoring of all outgoing and incoming traffic. 

Incident Management

Uberall has an incident response process in place for security events that may affect the integrity, or availability of our systems and data. It includes:

• Constant monitoring and intrusion detection 
• Creation of alerts, notifying clients, incident tickets, and a dedicated task force to assess the issue
• Assessment of the severity and extent of the damage 
• Breach Containment
• Elimination of the root cause 
• Recovery and return to normal operations 
• Post-mortem, Documentation

Reporting Security Incidents

Security incidents can be reported at security@uberall.com (or internally in #security).

The security team will review all reports, and take the necessary actions (e.g. raise an internal ticket).

Business Continuity

In order to ensure product resilience in the case of unforeseen issues, we maintain a strict business continuity policy, including:

• Daily database backups, duplicated across three availability regions
• Regularly tested disaster recovery plan for restarting fallen infrastructure
• Automated alerts across all our systems to catch issues at inception
• On-call Devops team ready to respond to issues 24/7

Quality Assurance

Uberall has employed a dedicated team of Quality Assurance / Software testing engineers, to identify, test, and triage security vulnerabilities in code and relay it continually to our engineering team for fixing and deployment. 

Data Security

Data Hosting

Uberall’s physical infrastructure is hosted and managed within Amazon’s secure data centers. AWS continually monitors its data centers for risks and is subjected to assessments to ensure its compliance with industry standards. Amazon’s data center operations have been accredited under:SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). 

Uberall’s servers are located in Frankfurt/Main (Germany).

Data Encryption

Uberall employs state-of-the-art and highly secure encryption methods for electronic transmission, to meet compliance standards. Data is encrypted via HTTPS and SSL, and secured via a VPN connection. 

• Encryption In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.3) encryption with strong ciphers, for all connections
• At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES)
• All passwords are hashed (blowfish encryption)
• Sensitive data that cannot be hashed are stored in AES-256 encrypted vaults.
• Communication with customers and subcontractors require authentication via access tokens.
• AWS Key Management Service (KMS) is used for secure handling of encryption keys

Data Backup

• Uberall ensures optimal availability and integrity of client data by making backups several times a day and storing them in different locations (SQL or direct snapshot) In addition, each component is redundant and secured by a firewall.
• Uberall has provisions in place to restore services before facing significant losses. Database snapshots can be restored at any point in time. The infrastructure can be restored within a few hours through highly automated procedures. 
• All backups are encrypted with AES-256. 

Anonymization of data

• Uberall anonymizes IP addresses wherever they’re collected.
• Uberall anonymizes customer email addresses for dev usage in non-production systems.
  

Human Resources Practices

• Security Awareness Training - All employees undergo mandatory training on security and data handling to ensure they uphold their responsibility in protecting customer data.
• Developer Training - All engineers are provided with training in accordance with OWASP best practices for security-first programming.