We apply the principle of least privilege, which means that only a limited number of people can access our customers' data. These people are identified by name and a trace of their access is systematically kept. Access to customer data is only permitted when required for the maintenance of our services or for customer support purposes. Furthermore, the access rights granted are updated and regularly reviewed and all our staff are subject to a confidentiality clause.
Data is automatically purged 25 months after collection. Today, it is not possible to customise the retention period directly in the solution.
At the end of the contracts, we automatically delete the user accounts from our platform and put the campaigns on hold. You have the option of requesting the removal of data at bounty@flagship.io.
AB Tasty's solution offers you the possibility to retrieve data from your test campaigns yourself at any time via its .csv data export feature.
Our users have several possibilities to authenticate themselves on our platform:
The user authenticates using a login/password combination. The password must respect the following conditions of complexity:
The password is stored in our database in a hashed and salted format, i.e. we never store the password in clear text. Even in the case of a data leak, the password can neither be read nor reused by a malicious person.
In addition to the login/password pair, the user enters a code sent by SMS to connect to the platform.
Our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.
Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorisation model. There are four user roles:
The data collected is encrypted (AES-256) and in transit (HTTPS/TLS 1.2+). We constantly monitor the market and apply the latest standards in cryptography to ensure the best protection for our users.
The data collected on our clients' sites is stored in a dedicated database to prevent unauthorised access.
AB Tasty wants to offer the best possible product to its clients. That is why our platform is constantly evolving and we regularly deploy new versions. In order to avoid introducing bugs or vulnerabilities during these developments, all changes to our platform are strictly controlled. We have adopted an automated approach to integration and continuous release. Each time a developer modifies the platform's source code, it is reviewed by a peer. A series of unit and functional tests are systematically performed in a staging and pre-production environment before a production release.
Our solution allows you to easily modify and customise the graphic interface of your sites. These modifications are saved in a file named Tag.js and stored in a secure space. To further enhance the security of the Tag.js, you can check its integrity by comparing its checksum with the checksum we calculated when it was deposited in our storage space using our public API.
Our entire IT infrastructure (applications, network and storage) is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified.
We make backups of your database instances with a retention period of 7 days. The backups are kept in a different datacenter from the production data.
Backups and redundancy of our IT infrastructure in several data centres of our cloud service providers allow us to ensure the availability of our services in the event of a disaster. We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly.
AB Tasty contractually guarantees the availability of its services. The guaranteed service levels can be consulted in the appendix of the general terms of service. You can check the status of our services in near real time on a dedicated web page.
We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc). Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as elements of investigation in the event of a security incident or as evidence in any legal proceedings.
Before joining AB Tasty, all our employees have gone through a rigorous recruitment process. Their backgrounds have been checked and we make sure they have the right skills for the job they are about to do. All our employees are subject to a confidentiality clause that continues after their employment contract ends. AB Tasty presents a charter for the proper use of IT resources to all newcomers. This charter is annexed to the internal regulations and is therefore enforceable against all its employees. Any person who does not respect the security rules may be subject to disciplinary measures.
Access to AB Tasty's buildings, whether for employees or visitors, is strictly controlled by security devices such as video surveillance, intruder alarms and electronic access badges. We are very committed to respecting the confidentiality of information both inside and outside our facilities. We do not leave any document or confidential information in plain sight. We have strongboxes and shredders for the management of paper documents. The entire IT infrastructure is hosted by our ISO 27001 certified cloud service providers.
In addition to the security controls performed internally by AB Tasty's teams, such as a periodic review of authorizations, we regularly call upon independent security providers to audit our services. Twice a year, we have penetration tests performed to uncover any vulnerabilities and security holes. When such vulnerabilities are discovered, we provide the necessary security patches as soon as possible.
All our systems are protected by security devices such as anti-virus, anti-malware or firewalls. Access to our servers and production environment is protected either by strong authentication or by a dedicated administration bastion. Server configuration is strengthened. Open services and ports are reduced to the bare minimum to minimise the attack surface and limit our exposure to cyber threats.
We inform our customers of any security incident that could impact them directly or indirectly. We have defined a security incident management procedure to prepare ourselves as well as possible for this possibility. You can report any event or anomaly that may affect data security to the following email address :bounty@flagship.io
Do you have an information security policy (ISP) ?
Yes, our ISP establishes the general framework that enables us to ensure the protection of the data entrusted to us. It is communicated to all our staff.
It is updated at least once a year and made available to our clients on request.
Do you have any security certifications?
We are ISO 27001 certified.
Moreover, our storage and information processing infrastructure is fully hosted by ISO 27001 and SOC 2 certified cloud service providers.
Is there a specific contact person to deal with security issues?
Our support team answers all questions, including security issues. Depending on the scope of the security issue to be addressed, This team is then responsible for referring these issues to internal experts. We have interlocutors for the following four areas of expertise :
If you want to report an incident, we have a dedicated email address: security@abtasty.com
Have you identified your main security risks? What measures have you taken to reduce them?
To ensure the highest possible level of security for our customers, we decided to implement an Information Security Management System (ISMS) in accordance with the ISO 27001 standard.
We regularly carry out a risk analysis of our information system in which each identified risk is addressed and included in our risk treatment plan.
Security indicators allow us to control and monitor the level of identified risks until they reach an acceptable level.
When they join AB Tasty, all our employees are made aware of and trained in the company’s culture and working methods. We systematically present our IT charter, which summarizes all the rules and best practices in terms of information security. We also remind them of these security rules in newsletters sent by the AB Tasty IT team.
All our employees are subject to a confidentiality clause in their employment contract. We also have all our partners who may have access to confidential data sign a non-disclosure agreement.
Our IT charter, which summarizes all the security rules applicable in the company, is appended to AB Tasty’s internal regulations and is therefore enforceable against all our staff. A disciplinary process is provided for in the event of a breach of security rules.
Yes, all connections to our platform are made in HTTPS via the TLS 1.2 protocol. It is also possible to activate multi-factor authentication (MFA). A code sent by SMS will be requested from users to log in to their account.
The user authenticates with a login/password pair. The password must meet the following complexity requirements :
The password is stored in our database in a hashed and salted form, we never store the password in clear text. Even in the event of a data leak, the password cannot be read or reused by a malicious person.
Yes, our platform is SAML v2 compliant, so you can use your own identity federation solution to authenticate.
Permissions within the solution are granted according to the RBAC (Role Based Access Control) authorization model. There are 4 user statuses:
We apply a very strict access policy regarding data access (principle of least privilege). At AB Tasty, only our devops team can access the data collected by our solution.
Access rights to data are given in name only: we always know the identity of the person authorized to access the data from a user account. The rights granted to users are regularly updated; a review is carried out at least once a quarter.
Yes, we keep a record of all data access.
Access to AB Tasty’s premises is controlled by an electronic badge access system, assigned by name.
Access to visitors is strictly controlled. Their identity is checked, their presence on the site is recorded in a register, they are given a visitor’s badge and they are constantly accompanied.
An anti-intrusion alarm system is installed. It is remotely operated by a specialized security company.
AB Tasty enforces the “clean desk” policy. No physical media (paper, removable drives, printouts) are left on desks, in meeting rooms or on the printer in the absence of the owner. Confidential paper documents are kept in a secure cabinet and shredded if they are to be disposed of. No screens or boards are visible from a window outside the premises.
All IT infrastructure is hosted in data centres managed by our ISO 27001 and SOC 2 certified cloud service providers.
All the data we collect is encrypted in transit (via TLS 1.2) and at rest (in AES-256).
All data collected on our clients’ sites is stored in a dedicated database to prevent unauthorized access.
In accordance with the provisions of the GDPR and e-Privacy, we retain the data collected for a maximum period of 25 months. It is automatically deleted after this period.
Test campaign data can be exported in .csv format directly from the AB Tasty platform by users only.
Our clients have the possibility to export the data of their test campaigns directly from the application at any time during the contract period.
At the end of the contract, we automatically delete the user accounts from our platform and put the campaigns on hold.
Our customers have the possibility to make a request for deletion of the data to legal@abtasty.com.
AB Tasty contractually guarantees the availability of its services. The guaranteed service levels can be consulted in the appendix of the general terms of service.
You can check the status of our services in near real time on a dedicated web page: https://status.abtasty.com
We make a daily backup of all data generated by visitors to your site(s), with a retention period of 7 days.
Backups are systematically stored on a different site from the production data, encrypted and their access is strictly limited.
We regularly perform restoration tests on our test environments.
We have a disaster recovery plan in place. The backups and redundancy of our infrastructure enable us to ensure the availability of our services in the event of a disaster.
In addition, our entire IT infrastructure is based on cloud service providers (AWS and Google Cloud) that meet the best market standards and are ISO 27001 and SOC 2 certified. They themselves have a disaster recovery plan.
The maximum allowable downtime and maximum allowable data loss is defined in the AB Tasty Disaster Recovery Plan.
We test our disaster recovery plan at least once a year to ensure that the recovery procedures and the defined organisation are working properly and allow us to ensure the availability of our services in case of a disaster.
The development cycle of our solution follows a continuous integration and deployment approach. This approach allows us to ensure continuous monitoring of changes to the source code, from the integration and testing phase all the way through to deployment in production. All modifications to the source code are systematically reviewed by at least two developers and unit tests are used to ensure that the code is executed correctly.
We use the symfony and react development frameworks, in versions that are systematically maintained in operational security conditions.
Our developers are made aware of and trained on the security flaws presented in the OWASP TOP 10. A training platform is available to our teams, where they can train on the subjects of their choice, including training on secure development.
All our systems are protected by daily updated antivirus software.
Our IT team monitors current cyber security issues and the main security flaws that can impact our IT systems.
We monitor the status of our computers and systems and systematically apply the available security patches.
All software authorized in production is maintained in operational security condition by its publisher.
When a security vulnerability is reported to our teams, either through our security monitoring or through external audits, it is corrected as soon as possible.
We keep track of all data accesses. The minimum information recorded is the date, time, origin of the action (the user or the resource) and the type of operation (insert, update, delete, etc).
We keep the logs for 12 months.
Access to the logs is limited to the strict minimum in order to preserve their integrity and so that they can be used as investigative material in the event of a security incident or as evidence in any proceedings.
Our IT infrastructure is an “as code” infrastructure. All resources (servers, network instances, security groups, firewall rules, etc.) are described in configuration files, which allows us to automate the deployment of our solutions and ensure a high level of availability for our customers.
This reduces the risk of human error or misconfiguration. As the infrastructure code is versioned, it is possible to go back in time in case of a deployment error.
We also constantly monitor the status of our instances in production using dedicated dashboards (via the Grafana tool).
Finally, all communication flows within our production environments are encrypted.
Maintenance and administration of our production environment is carried out solely by our devops staff.
Access to the administration interfaces is always protected, either by an administration bastion or by a double authentication system.
Confidentiality and integrity of administration operations are ensured by the implementation of strong encryption protocols (SSL/TLS).
All our service providers are subject to confidentiality clauses (Non-Disclosure Agreement). In addition, in the case of sensitive services or if the service provider must have privileged access, specific security clauses are included in the contract.
When the service requires access to our information system, this access is monitored and limited in time.
Contracts with our most sensitive suppliers include security and auditability clauses. We regularly check the compliance of our suppliers and service providers with their contractual commitments.
We inform you of any security incident that could impact you directly or indirectly. We have defined a security incident management procedure to prepare us as well as possible for this eventuality.
In the event of a security incident affecting you, we will notify you of the incident as soon as possible, using the contact details you provided and identified as your point of contact when you signed the contract.
You can report any event or anomaly that may have an impact on data security to the following email address: support@flagship.io
As part of our ISO 27001 certification, our information security management system is fully audited every 3 years. A follow-up audit is also carried out every year.
Twice a year, we conduct penetration tests to uncover potential security vulnerabilities in our systems and software solutions. When such flaws are discovered, we provide the necessary security patches as soon as possible.
We will provide intrusion test certificates if you request them.
The terms and conditions for carrying out security audits and penetration tests at the client’s request are determined contractually. In all cases, these can only be carried out with our prior agreement and on a scope which, by nature, excludes our hosts.
