Security architecture

At Etlworks, our most important job is to keep your data safe along the way.

Environment

• Etlwork's servers are hosted in Amazon Web Services and Azure, which provides assurances for their physical and virtualized computing environments including SOC 1, 2, and 3, and ISO/IEC 27001.
• Etlworks operates within Virtual Private Cloud (VPC), with subnets segregated by security level, and firewalls configured to restrict network access.
• Etlworks regularly performs automated vulnerability scans and installs security updates and patches.
• Etlworks applications and environments are regularly audited by third-party security professionals conducting specialized penetration tests.

Perimeter Protection

Perimeter security addresses security at the periphery of any private network, right where it connects to the public Internet. Firewalls and other elements of the perimeter protection infrastructure enforce access control policies that govern which information enters and leaves the network. 

We install and configure the following elements of the perimeter protection infrastructure:

• System firewall
• Reverse proxy server
• Load balancer

Perimeter protection policies

• We use only SSL connections.
• We open only port 443 for inbound traffic.
• We terminate SSL connections on the last element of the perimeter protection infrastructure: the load balancer.
• For inbound and outbound emails, we use a trusted enterprise-level third-party service, with manually-configured spam filters.

Authentication and Access Control

User Authentication

The user must be authenticated to access any of the resources within Integrator, including but not limited to:

• Elements of the interface
• Functions, such as the ability to create flows and connections, run flows, etc.
• API endpoints

We use JWT-based security, which is completely stateless and does not use sessions or cookies.

Two-factor authentication

Two-factor authentication adds an extra layer of security on top of your username and password when logging into Etlworks by requiring verification of the login through a second linked device, such as Google Authenticator.

Read how to enable two-factor authentication for Etlworks login.

Access Control

Integrator implements role-based access control (RBAC). In Role-Based Access Control, access decisions are based on an individual's roles and responsibilities within the user base.

In Integrator, each user can be assigned only one role.

The following roles are available:

• SuperAdmin - has unrestricted system access.
• Administrator - has full control over data; can create, edit, delete, execute flows, connections, and formats and manage users.
• Editor - the same as "Administrator", but cannot manage users.
• Operator - can view and run flows/schedules and view execution statistics.
• Viewer - can only view flows, schedules and execution statistics.
• API User - a role for making authenticated calls to user-defined API endpoints (listeners) that sees nothing in the system except own API messages.

Authentication policies

• Strong passwords are enforced.
• JWT tokens are short-lived and automatically expire.
• The user registration is an invitation-based. New users must complete the registration in Etlworks Integrator after receiving an invite by email. 
• It is required to have a real email address in order to sign up for the service or create a new user.

Encryption

Etlworks classifies your data and credentials as our most critical assets. We strictly control access to data and credentials and require them to be encrypted using industry-standard methods both at rest and in transit within our environment

Encryption during transmission

Etlworks web application uses encrypted communication. HSTS is used to ensure browsers always encrypt all communication with Etlworks.

Etlworks offers secure options for making connections to all data sources and destinations, including SSH tunneling, SSL/TLS, and IP whitelisting. Etlworks exclusively uses HTTPS for all web-based data sources. 

Encryption of credentials

In Etlworks Integrator all credentials, including JWT tokens, are encrypted using industry-standard methods by a strong encryption algorithm.

File encryption using PGP

Read more on how to encrypt files using the PGP algorithm.

Protection for the API endpoints

All API endpoints in Integrator, including the private ones, are protected by short-lived JWT tokens.

Logs and notifications

Etlworks provides direct access to logs from data integration flows for auditing and sends notifications to users when error conditions are encountered.

Data protection

Customer Data

When you subscribe to our service we ask you to enter contact information, such as a valid email address. We keep it in our database, which is completely isolated from the Internet.

When you place an order with us, we redirect you to our payment gateway provider, where you will continue entering sensitive/credit information over a secure SSL connection.

We don't store credit card information on our servers.

Read our privacy policy for more information.

Application Data

Our data protection policy is very simple - we don’t have access to your data at all unless you opt-in to store it on our servers.

Data protection policies

• We always encrypt credentials.
• We never send credentials to a web browser, so there is no way to view them anywhere in Integrator.
• Etlworks educates employees about their role in keeping customer data safe, and mandates policies that protect your data.

Application security

• Etlworks monitors application, system, and data access logs within its production environment for anomalous behavior.
• Etlworks maintains documented policies and procedures for handling security incidents, which include timely notifications to affected customers in case of a verified data breach.