Security architecture and policies

At Etlworks, our most important job is to keep your data safe along the way.

Policies

• Privacy policy.
• GDPR.
• DPA.
• Incident Response Plan.

Infrastructure

• Etlwork's servers are hosted in Amazon Web Services, Azure and Google Cloud, which provide assurances for their physical and virtualized computing environments, including SOC 1, 2, and 3, and ISO/IEC 27001.
• Etlworks operates within Virtual Private Cloud (VPC), with subnets segregated by security level and firewalls configured to restrict network access.
• Etlworks regularly performs automated vulnerability scans and installs security updates and patches.
• Etlworks applications and infrastructure are regularly audited by third-party security professionals conducting specialized penetration tests.

Security Audit

From time to time, we commission independent Internet security professionals to audit our security. We implement any findings and recommendations as a matter of priority.

Perimeter Protection

Perimeter security addresses security at the periphery of any private network, right where it connects to the public Internet. Firewalls and other elements of the perimeter protection infrastructure enforce access control policies that govern which information enters and leaves the network. 

We install and configure the following elements of the perimeter protection infrastructure:

• System firewall
• Reverse proxy server
• Load balancer

Perimeter protection policies

• We use only SSL Connections.
• We open only port 443 for inbound traffic.
• We terminate SSL Connections on the last element of the perimeter protection infrastructure: the load balancer.
• For inbound and outbound emails, we use a trusted enterprise-level third-party service, with manually configured spam filters.

Authentication and Access Control

User Authentication

You must be authenticated to access any of the resources within the Etlworks Integrator, including but not limited to:

• Elements of the interface.
• Functions, such as the ability to create Flows and Connections, run Flows, etc.
• API endpoints.

We use JWT-based security, which is completely stateless and does not use sessions or cookies.

Two-factor authentication

Two-factor authentication adds an extra layer of security on top of your username and password when logging into the Etlworks Integrator. It requires verification of the log in through a second linked device, such as Google Authenticator.

Read how to enable two-factor authentication for the Etlworks Integrator log in.

Single Sign On (SSO)

Single sign-on (SSO) allows you to give your team members one account for all of the systems your business uses. If you have an Etlworks Enterprise or on-premise account and have SSO set up for your business, you can require users to log in to Etlworks using their SSO credentials.

Etlworks uses a third-party service miniOrange for SSO integration.

Read how to configure SSO in Etlworks.

Access Control

The Etlworks Integrator implements role-based access control (RBAC). In Role-Based Access Control, access decisions are based on an individual's roles and responsibilities within the user base.

In the Etlworks Integrator, each user can be assigned only one role.

The following roles are available:

• SuperAdmin: has unrestricted system access.
• Administrator: has full control over data; can create, edit, delete, execute Flows, Connections, and Formats and manage users.
• Editor: the same as Administrator, but cannot manage users.
• Operator: can view and run Flows/Schedules and view execution statistics.
• Viewer: can only view Flows, Schedules, and execution statistics.
• API User: a role for making authenticated calls to user-defined API endpoints (Listeners) that sees nothing in the system except their own API messages.

Authentication policies

• Strong passwords are enforced.
• JWT tokens are short-lived and they automatically expire.
• The user registration is invitation-based. New users must complete the registration in the Etlworks Integrator after receiving an invite by email. 
• It is required to have a real email address in order to sign up for the service or create a new user.

Encryption

Etlworks classifies your data and credentials as our most critical assets. We strictly control access to data and credentials and require them to be encrypted using industry-standard methods both at rest and in transit within our environment.

Encryption during transmission

The Etlworks Integrator web application uses encrypted communication. HSTS is used to ensure browsers always encrypt all communication with the Etlworks Integrator.

The Etlworks Integrator offers secure options for making Connections to all data sources and destinations, including SSH tunneling, SSL/TLS, and IP whitelisting. In addition, the Etlworks Integrator exclusively uses HTTPS for all web-based data sources. 

Encryption of credentials

In the Etlworks Integrator, all credentials, including JWT tokens, are encrypted using industry-standard methods by a strong encryption algorithm.

File encryption using PGP

Read more on how to encrypt files using the PGP algorithm.

Protection for the API endpoints

All API endpoints in the Etlworks Integrator, including the private ones, are protected by short-lived JWT tokens.

Logs and notifications

The Etlworks Integrator provides direct access to logs from data integration Flows for auditing and sends notifications to users when error conditions are encountered.

Data protection

Customer Data

When you subscribe to our service, we ask you to enter contact information, such as a valid email address. We keep it in our database, which is completely isolated from the Internet.

When you place an order with us, we redirect you to our payment processor, where you will continue entering sensitive/credit information over a secure SSL Connection.

Credit Card Data

At no time do we store your credit card details on our servers. Our payment processor, Stripe, handles payment processing on our behalf. Stripe ensures that all relevant compliance, such as PCI, is met.

None of our staff, including management, have access to your credit card info.

Read our privacy policy for more information.

Application Data

Our data protection policy is very simple –– we don’t have access to your data at all unless you opt in to store it on our servers.

Backups

Your data is safe with us. We take frequent backups and regularly ensure that a recent backup can be restored. Access to backups is guarded with a combination of 2FA, password managers, encryption at rest, and tight access rules.

Data protection policies

• We always encrypt credentials.
• We never send credentials to a web browser, so there is no way to view them anywhere in the Etlworks Integrator.
• Etlworks educates employees about their role in keeping customer data safe and mandates policies that protect your data.

Application security

• Etlworks monitors application, system, and data access logs within its production environment for anomalous behavior.
• Etlworks maintains documented policies and procedures for handling security incidents, including timely notifications to affected customers in case of a verified data breach.

Security Incidence Response 

Etlworks Security Incidence Response Plan. 

Responsible Disclosure

We welcome whitehat security researchers and will gratefully receive reports of suspected security problems.

We ask you to refrain from the following:

• attempts to modify or destroy data
• attempts to interrupt or degrade the services we offer to our customers
• attempts to execute a Denial Of Service (DOS) attack
• attempts to access a user’s account or data
• violating any applicable law

Acknowledgment Program

We don’t offer bug bounties. However, we acknowledge contributions here on our site.

Only the first researcher to report a specific qualifying issue is eligible for acknowledgment. Whether an issue is a qualifying issue, as well as eligibility for acknowledgment, are decisions taken by us at our discretion.

We reserve the right to cancel this program at any time without notice.

How to report issues

Report security vulnerabilities to support@etlworks.com. Once we’ve received your email, we’ll work with you to make sure that we completely understand the scope of the problem and keep you informed as we work on the solution.