Moesif also acknowledges that no environment can guarantee absolute security. We recommend not sending any sensitive data such as ePHI (electronic Protected Health Information) or PCI DSS (Payment Card Industry Data Security Standard). Our open-source SDKs support masking any sensitive API data before it even leaves your application.
Management API tokens are also signed using the HMAC SHA-256 algorithm and can be limited to specific resource scopes and can have a specified token expiration date. Please follow the principle of least privilege and add only the minimum scopes that you need for the access token. If you need a short lived token to perform certain maintenance tasks, create a token that expires in hours or days.
The Collection API, Management API, and moesif.com web portal all use SSL using Transport Layer Security (TLS) 1.2 and the latest SHA-256 algorithm for encrypting all network traffic which Moesif’s SSL implementation received an “A” on Qualsys’ SSL Labs. All of our open source SDKs and agents are configured to use HTTPS.
Encryption at Rest
Moesif encrypts customer data while at rest of both production data and backups using 256-bit AES encryption where ever possible. Data is stored only in the cloud at Azure and AWS which further provides fault-tolerance and strong access control to physical machines. However, we don’t simply rely on AWS and Azure for security and implement our own access control.
Snapshots of critical data stores are made multiple times per day and redundantly archived in Azure Blob Storage / AWS S3. These backups are regularly tested. Moesif also backup all streaming data to ensure no data loss will happen for any events that occur after a snapshot.
Data Storage Location
Moesif customer data at rest currently resides in the United States of America.
The Moesif platform runs on hardened hosts with tightened security groups, role-based access controls, and isolated virtual networks. A business reason must exist before employees or management is granted to a portion of the production infrastructure. Employees engaged in customer service can access a web portal with access to customer data similar in structure to the Moesif end user portal. Access to this system requires 2FA and is logged.
Moesif has security policies in place for company laptops and workstations which include Full Disk Encryption and auto lock of workstation when left unattended.
To prevent phishing scams or other cyber attacks, Moesif has deployed DMARC which builds on existing mechanisms like DKIM and SPF to detect and prevent email spoofing. Moesif also keeps logs on such spoofing attempts.
Our critical accounts (AWS, Azure, Google, GitHub, etc) enforce mandatory 2FA for all employees and management. SMS 2FA is discouraged over other 2FA medians. If a service allows non SMS based 2FA to be enforced, we make it mandatory. Moesif does everything it can to use company provided password managers and never share passwords across accounts.
Credit card and payment information is held by our payment providers, Stripe and Chargebee. Moesif does not store any payment information. If you signed up via a partnership program that integrates billing such as GitHub or Azure, your payment information may be held at that partner instead of our own payment providers.
Moesif uses Auth0 service for user authentication. Auth0 is a service dedicated to secure authentication for companies like Moesif. They never store passwords in plaintext in data stores, and ensure all passwords are hashed and salted via bcrypt. More information on Auth0’s security can be found here.