Security

Overview

Security is one of our biggest priorities here at Story Pro. On this page, we have provided information about the security of your data, our general security practices, and how you can reach a member of the security team if you have questions that haven’t been answered below.

How we protect your content

Our infrastructure runs purely on Heroku and Amazon Web Services (AWS), which deliver infrastructure as a service with prime security capabilities.

ISO 27001 compliant data centers

The data centers used for storing your content and allowing it to be delivered to your users are also certified for compliance with the ISO 27001 standard.

Data storage and encryption at rest

Your data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon, and individual volume keys are stable for the lifetime of the volume.

Encryption in transit

All communication between you, your services, and Story Pro, which includes your data, traverses the Internet via encrypted HTTPS traffic using TLS v1.2. In addition, data is also encrypted during transit between Story Pro and our Content Delivery Networks (CDNs). This encryption during communication ensures that information cannot be read or manipulated by unauthorized third parties.

Backups

All of our data, is backed up daily to object-locked S3 buckets and database daily backups with a guaranteed 30-day retention period.

Access to data

Access to your data is highly restricted. We have hand-picked and trained support staff and Engineers on support that, after your explicit permission, can help fix your problem by accessing the affected data you authorize. These actions are recorded, audited, and monitored.

Physical security

We are a cloud-native service, so we do not have data centers. Physical security to our servers and to your data is managed by AWS security certifications. Physical security at our offices is also governed by our security program.

Security groups

Networking in the cloud is very different from the standard data center. All communications to and from our servers are controlled by tight security groups, an AWS security feature for stateful firewalling.

Web Application Firewall

Applications available on the internet are constantly under threat of attacks. One of the protections implemented to protect our applications is the Heroku Firewall, which includes DDoS Mitigation, Spoofing, and Sniffing protection.

Threat detection

Provided by AWS GuardDuty, we monitor and respond to threats when they happen. We detect inbound and outbound connections from and to known malicious IP addresses, unusual or unauthorized activities in our AWS accounts and much more.

Secure Headers

To protect our users from attacks, we leverage browser protections such as HTTP Strict Transport Protection and constantly monitor our SSL configuration rating. We also target a minimum of an A grade for all our general domains and an A+ for all domains under our full control.

Data Retention Policy

Your data lives in our servers for as long as you need them. Our backups are erased every 30 days.

Brute Force Protection

To prevent your account from being compromised by brute-forcing our web application and APIs, we implement rate limits and captchas.

Monitoring and reporting

Access to customer data is logged along with SSH session commands in production. This provides a trail that can be easily followed in any security audit.

How we keep our service reliable

AWS

Our infrastructure runs on Heroku and Amazon Web Services, with each platform deployed in its own virtual container, minimizing disruptions caused by any failure and keeping your content constantly available. Load Balancers are used to automatically split the load and segregate traffic from the Internet to all nodes of our frontend layer.

Auto-scalable Dynos

All our software components run in Dyno containers orchestrated by Heroku. Each container has its own set of web workers, a key-value store, and a relational database. Every platform has been designed from scratch to support high volumes of web traffic, and this technology stack, alongside a microservice architecture, is the fundamental piece that caters to our high availability needs.

CDN

Our content delivery is served directly by Uploadcare. We utilize Uploadcare's API heavily for cache population and invalidation, so in the unlikely event our infrastructure ever experiences technical difficulties, content can still be served by the CDN and remain online in the meantime.

Distributed denial of service (DDOS) protection

Our web application is protected in multiple ways against denial of service attacks. AWS provides volumetric denial of service protection through AWS Shield and Elastic Load Balancing to ensure high availability. Our security CDN performs application-layer denial of service protection alongside web application firewall protection.

Disaster recovery and business continuity

We utilize database replication architectures to ensure redundancy and uptime. Encrypted backups are made frequently and stored at a remote storage location. Each critical service layer has redundant components, such as multiple servers that provide the same service and content, to ensure any failures do not impact the rest of the system. Data centers are also equipped with controls to enforce physical security and protection against environmental hazards.

How to report vulnerabilities

Story Pro engages with the community via our Responsible Disclosure Program, also known as our Bug Bounty Program. Our community plays an important role in helping us stay bug-free and secure. Found a vulnerability? Would you like to report a bug or something interesting that you found? The best way to reach out to us is via e-mail at support@storypro.io.