Opendatasoft has created extensive documentation that governs how we organize security, including a security policy. This policy defines our security targets, the associated organization necessary to reach these targets and the associated organizational and technical measures we are taking.
This policy is based on the ISO 27001 and ISO 27002 standards.
Security incident management
In case of a security incident, Opendatasoft has put in place a process and organizational structure to deal with security incidents as quickly as possible. If the incident involves our customers’ data, we commit to notify the affected customers within 48 working hours.
It should be noted that no such incident has been identified in the last three years.
A security inspection is carried out on a daily basis, checking for any vulnerabilities on Opendatasoft’s servers and the software used in our product. If a vulnerability with a major impact is identified, necessary updates are deployed as soon as possible, usually within one day.
Security during development
The Opendatasoft platform is designed around a secure development workflow to ensure code quality before deployment.
Additionally, it is regularly tested in real-world conditions through our Bug Bounty program, enabling us to identify and correct possible defects related to development and/or our infrastructure.
User passwords are stored irreversibly in hashed form with the PBKDF2 algorithm. In addition, we offer customers the opportunity to use a customized Identity Provider (IDP) for the authentication of their users. In this case, accounts (and their passwords) are managed only by this external repository.
Platform security assessment
Opendatasoft performed penetration tests annually for several years until 2018. Since 2019, Opendatasoft launched a private Bug Bounty program on YesWeHack. This program is active and involves 61 security researchers. Since the beginning of the program, 32 vulnerabilities have been identified with the following severity levels: 0 critical, 2 high, 20 medium, 9 low, 1 informative. In addition to our Bug Bounty program, an average of 3 penetration tests a year are mandated by our clients on their platform and their recommendations are taken into consideration to improve the platform’s security.
If you wish to join our Bug Bounty program, you can contact Opendatasoft’s security team at firstname.lastname@example.org.
Access control and configuration
Data access protection
Our client data is protected at three levels:
- at the infrastructure level: our client’s instances and data are are distributed on several independent servers;
- at the logical level: access control within the application only allows access to the domain data;
- at the physical level: the servers’ hard drives are encrypted.
The platform allows fine-tuning of access control and security settings (user management, session duration, authentication with SAML to a third-party identity provider, etc.) by domain administrators.
Access to the platform and actions on the back office are recorded and made accessible independently to our clients. Explore the underlying dataset containing details of access and usage data. This data is kept for up to a year.
Physical and network security
We rely on two cloud providers: Amazon Web Service (AWS) and Outscale.
- Our AWS datacenters are worldwide (Europe – Ireland and Germany; North America – USA and Canada; Australia)
- Our Outscale datacenters are exclusively in France (with guaranteed French hosting from Outscale)
Clients can choose from our existing datacenters and specify the country where their data will be located. For example::
- A client wishing to keep data within the European Union can choose hosting in Ireland or in Germany (via AWS)
- A client wishing to keep data in France can choose hosting in France (via Outscale)
- In the absence of an explicit client preference, Opendatasoft will choose the most relevant datacenter (normally by geographical proximity)
Our infrastructure is duplicated and redundant between our providers’ datacenter zones. This means that the other zone’s infrastructure continues to operate autonomously in the event of a datacenter loss (such as fire, power or network access outage).
Protection for data in transit
Connections to our service are HTTPS encrypted, ensuring that they cannot be intercepted and read by third parties. The HTTPS configuration deployed at Opendatasoft has achieved the highest A+ rating on Qualys SSL Labs.
In addition, a Web Application Firewall (WAF) is deployed on the infrastructure and automatically blocks requests with malicious intent using a set of specific rules.
Data storage protection
Opendatasoft servers have their hard drive encrypted in AES 256 with a random 32 character key. This ensures that being able to access server hard drives does not provide access to the content of our servers.
Similarly, the workstations of Opendatasoft employees are encrypted and external storage is not used in order to guarantee confidentiality of all data handled.