Security and Compliance

We have built our services with security in mind.
We meet rigorous standards and regulations
to help ensure your data is safe.

Confidentiality

Data Access

Access management

We apply the principle of least privilege, which means that only a limited number of people can access our customers' data. These people are identified by name and a trace of their access is systematically kept. Access to customer data is only permitted when required for the maintenance of our services or for customer support purposes. Furthermore, the access rights granted are updated and regularly reviewed and all our staff are subject to a confidentiality clause.

Preservation

Data is automatically purged 25 months after collection. Today, it is not possible to customise the retention period directly in the solution.

Removal

At the end of the contracts, we automatically delete the user accounts from our platform and put the campaigns on hold. You have the option of requesting the removal of data at bounty@flagship.io.

Recovery

AB Tasty's solution offers you the possibility to retrieve data from your test campaigns yourself at any time via its .csv data export feature.

Authentification

Our users have several possibilities to authenticate themselves on our platform:

Simple authentication

The user authenticates using a login/password combination. The password must respect the following conditions of complexity:
  • Be composed of at least 12 characters
  • Contain at least 1 upper case, 1 lower case, 1 number or special character
  • Be changed at first connection
The password is stored in our database in a hashed and salted format, i.e. we never store the password in clear text. Even in the case of a data leak, the password can neither be read nor reused by a malicious person.

Multi-factor authentication

In addition to the login/password pair, the user enters a code sent by SMS to connect to the platform.

Identity federation

Our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.

Permission management

Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorisation model. There are four user roles:
  • Admin : has full rights to the account
  • User : can view and edit all campaigns but does not have access to account management settings
  • Creator : can see all campaigns and can update non-sensitive information. However, this profile cannot play/pause a campaign or delete data from that campaign
  • Viewer : can see all campaigns but cannot update them

Encryption

The data collected is encrypted (AES-256) and in transit (HTTPS/TLS 1.2+). We constantly monitor the market and apply the latest standards in cryptography to ensure the best protection for our users.

Separation of customer environments

The data collected on our clients' sites is stored in a dedicated database to prevent unauthorised access.

Integrity

Changes management

AB Tasty wants to offer the best possible product to its clients. That is why our platform is constantly evolving and we regularly deploy new versions. In order to avoid introducing bugs or vulnerabilities during these developments, all changes to our platform are strictly controlled. We have adopted an automated approach to integration and continuous release. Each time a developer modifies the platform's source code, it is reviewed by a peer. A series of unit and functional tests are systematically performed in a staging and pre-production environment before a production release.

Checksum

Our solution allows you to easily modify and customise the graphic interface of your sites. These modifications are saved in a file named Tag.js and stored in a secure space. To further enhance the security of the Tag.js, you can check its integrity by comparing its checksum with the checksum we calculated when it was deposited in our storage space using our public API.

Disponibility

Datacenter

Our entire IT infrastructure (applications, network and storage) is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified.

Backups

We make backups of your database instances with a retention period of 7 days. The backups are kept in a different datacenter from the production data.

Disaster Recovery plan

Backups and redundancy of our IT infrastructure in several data centres of our cloud service providers allow us to ensure the availability of our services in the event of a disaster. We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly.

Service Level Agreement (SLA)

AB Tasty contractually guarantees the availability of its services. The guaranteed service levels can be consulted in the appendix of the general terms of service. You can check the status of our services in near real time on a dedicated web page.

Traceability

Logging

We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc). Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as elements of investigation in the event of a security incident or as evidence in any legal proceedings.

Security checks

Human resources

Before joining AB Tasty, all our employees have gone through a rigorous recruitment process. Their backgrounds have been checked and we make sure they have the right skills for the job they are about to do. All our employees are subject to a confidentiality clause that continues after their employment contract ends. AB Tasty presents a charter for the proper use of IT resources to all newcomers. This charter is annexed to the internal regulations and is therefore enforceable against all its employees. Any person who does not respect the security rules may be subject to disciplinary measures.

Physical security

Access to AB Tasty's buildings, whether for employees or visitors, is strictly controlled by security devices such as video surveillance, intruder alarms and electronic access badges. We are very committed to respecting the confidentiality of information both inside and outside our facilities. We do not leave any document or confidential information in plain sight. We have strongboxes and shredders for the management of paper documents. The entire IT infrastructure is hosted by our ISO 27001 certified cloud service providers.

Surveillance, audits and remediation of vulnerabilities

In addition to the security controls performed internally by AB Tasty's teams, such as a periodic review of authorizations, we regularly call upon independent security providers to audit our services. Twice a year, we have penetration tests performed to uncover any vulnerabilities and security holes. When such vulnerabilities are discovered, we provide the necessary security patches as soon as possible.

Protection and security devices

All our systems are protected by security devices such as anti-virus, anti-malware or firewalls. Access to our servers and production environment is protected either by strong authentication or by a dedicated administration bastion. Server configuration is strengthened. Open services and ports are reduced to the bare minimum to minimise the attack surface and limit our exposure to cyber threats.

Security incident

We inform our customers of any security incident that could impact them directly or indirectly. We have defined a security incident management procedure to prepare ourselves as well as possible for this possibility. You can report any event or anomaly that may affect data security to the following email address :bounty@flagship.io

Personal Data

Respecting and protecting the privacy of individuals is a very important principle at AB Tasty. That is why we limit the collection of personal data only to that which is essential for the operation of our service, in line with the minimisation principle set out in Article 5.1.C of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD). You can find the main measures taken to ensure our compliance with the GDPR and the California Consumer Privacy Act in the F.A.Q. dedicated to personal data here.
crossmenu
Copy link