Security at Moesif

Moesif has implemented strong security processes throughout the platform and organization. The protection of your data is taken very seriously. The founding team are engineers that have worked on applying microcode patches securely at Intel to processing and storing sensitive payment data at Microsoft. We have also implemented a detailed privacy policy available for review.

Moesif also acknowledges that no environment can guarantee absolute security. We recommend not sending any sensitive data such as ePHI (electronic Protected Health Information) or PCI DSS (Payment Card Industry Data Security Standard). Our open-source SDKs support masking any sensitive API data before it even leaves your application.

API Tokens

All Collector API tokens for data ingestion are write only tokens that are signed using HMAC SHA-256. These tokens are safe to put in untrusted apps such as Android *apks (which can be disassembled) and browser javascript without fear of unauthorized access of your data.

Management API tokens are also signed using the HMAC SHA-256 algorithm and can be limited to specific resource scopes and can have a specified token expiration date. Please follow the principle of least privilege and add only the minimum scopes that you need for the access token. If you need a short lived token to perform certain maintenance tasks, create a token that expires in hours or days.

Moesif creates unique keys for each use case. Those keys are not reused for unrelated purposes.

SSL

The Collection API, Management API, and moesif.com web portal all use SSL using Transport Layer Security (TLS) 1.2 and the latest SHA-256 algorithm for encrypting all network traffic which Moesif's SSL implementation received an "A" on Qualsys' SSL Labs. All of our open source SDKs and agents are configured to use HTTPS.

Encryption at Rest

Moesif encrypts customer data while at rest of both production data and backups using 256-bit AES encryption. Linux volumes are encrypted using dm-crypt and encryption keys are stored in Azure Key Vault. Data is stored only in the cloud on the Microsoft Azure platform which further provides fault-tolerance and strong access control to physical machines. However, we don't simply rely on Azure for security and implement our own access control.

Backups

Snapshots of critical data stores are made multiple times per day and redundantly archived in Azure Blob Storage. These backups are regularly tested. Moesif also backup all streaming data to ensure no data loss will happen for any events that occur after a snapshot.

Data Storage Location

Moesif customer data at rest currently resides in the United States of America.

Server Infrastructure

The Moesif platform runs on hardened hosts with tightened security groups, role-based access controls, and isolated virtual networks on the Microsoft Azure platform. A business reason must exist before employees or management is granted to a portion of the production infrastructure. Development environments do not have access to production data stores or virtual networks. Employees engaged in customer service can access a web portal with access to customer data similar in structure to the Moesif end user portal. Access to this system is logged.

Moesif uses Azure Active Directory for RBAC with 2FA required. Moesif disables SSH authentication via passwords for production Linux machines.

Workstations

Moesif has security policies in place for company laptops and workstations which include Full Disk Encryption and auto lock of workstation when left unattended. Mobile devices are protected with Mobile Device Management (MDM).

Email

To prevent phishing scams or other cyber attacks, Moesif has deployed DMARC which builds on existing mechanisms like DKIM and SPF to detect and prevent email spoofing. Moesif also keeps logs on such spoofing attempts.

Passwords

Our critical accounts (AWS, Azure, Google, GitHub, etc) enforce mandatory 2FA for all employees and management. SMS 2FA is discouraged over other 2FA medians. If a service allows non SMS based 2FA to be enforced, we make it mandatory. Moesif does everything it can to use company provided password managers and never share passwords across accounts.

Payment Information

Credit card and payment information is held by our payment providers, Stripe and Chargebee. Moesif does not store any payment information. If you signed up via a partnership program that integrates billing such as GitHub or AWS, your payment information may be held at that partner instead of our own payment providers.

User Security

Moesif uses Auth0 service for user authentication. Auth0 is a service dedicated to secure authentication for companies like Moesif. They never store passwords in plaintext in data stores, and ensure all passwords are hashed and salted via bcrypt. More information on Auth0's security can be found here.

Reporting an Issue

If you believe you’ve discovered a bug in Moesif’s security, please get in touch at security@moesif.com and we will get back to you within 24 hours, and usually earlier. You will find our PGP key in case you need to encrypt communications with us. We request that you not publicly disclose the issue until we have had a chance to address it.

Please include:

  • A summary of the problem
  • A severity rating of 1 - 5 (1 being least severe, 5 being most ie. you can easily hijack, impersonate or access any other account or data)
  • A PoC or breakdown of how to replicate the issue.
  • The operating system name and version as well as the web browsers name and version that you used to replicate the issue

PGP

If you plan to include tokens or any sensitive information, please kindly use PGP to encrypt your email.
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFo4cdcBEADfkSRrTdrtt1GWvs5HNtN/mVAiw5Oopue2n1pq9HN3h00BZGzY
nKJQzpxo/p/swTfrTzw8XA3BhZ5pgAm8rFZ3MYsYcC7oCbYrpniORdu9URx/4FGh
q4aVHSt5ZVjA0c4hVs7TwdSCS/Zh7uZiII9IXxJAMXmkJ6ilgUN95IJy7ZujRyEJ
2xQiQJza6evvW3O3pLlvY1cqM6EtgqGH225j1pwIBMXBNvkd0RbpPgJP8oiJwjLH
I5fgXTP8Q5phjb8gW6RJCOO9LLD33i+VXaATwEbof8lPwwJRaMQzRXoHucIxbWFH
AMK8wmByH6BTahmd4rYgkpf/ZLcbHtggljWMBqavYmqH3wcP+Be68lPX146WXx12
igGdDtiGNO18NQwTUojACKNkRy/nAVXBThyufsKSDKm6fERmU5GAQtHC1naTThVN
YX7y1z1YyIl+wDnbERjHZGpbyAcWAdVEq+DRKKGeho2Jh5A67SmFS0smFKAjC1CJ
1m1aRKEIjxtqtlBzLj1Mqz4w1eH8749RUPA4T0EiGibcNUTh2utAxMrpO8x8PU7X
jND+z/dbR7C4ybcbwzHJP9UI3N6oxxYa9BwGPwP8enkriQM4yHeVawweOhX3g8vd
R5i8ciWIaCNQJ5rJr2E4fMlvHqHiFJM5jMrOzDzhaM0WNvDhKU/PIKznHwARAQAB
tCVNb2VzaWYgU2VjdXJpdHkgPHNlY3VyaXR5QG1vZXNpZi5jb20+iQJUBBMBCgA+
FiEEe2ECxQ/sqy8csacJ0KRwmaM5xsIFAlo4cdcCGwMFCQeGH4AFCwkIBwMFFQoJ
CAsFFgIDAQACHgECF4AACgkQ0KRwmaM5xsJ1exAA3r/A4gzwal5cSp+gDoCmWJTN
xmihd9iPrOsgjDnfMwcCSUQpAklLWH54RlySn4qyZhSg3SDoNuKtM+Fz1M7c1WN3
MQpSN1YD8EDaq4Ww8+CtoF1VhEy4oPsllg7AzrzaaSqOvv43TOGSOG1ICXNH+GwZ
KaC8WoOMsp/NNGovXx5Tepr9d7ve/Xp0RTz1M0WnX6703niWqs+ZOx5iOXcCYBJJ
fI0PDmpMG0CmjVLQx3YkSFaR3oj+wfEOGgxveT4NlIDjuKxgHsjgGQWx4biUfwe+
K+/voc+/vb8LE1CxvBzmdPa3jIBVbyCdwXp3mFpHj7RIXC3ZAiXgwy8ofqJEGuLw
S8LgqrKI/j9A1rZcf37aPaaoWZh433oixkcF82jQnYGQqbc9Ger9XfzYEznTiDac
GSBtsx6a8reKKrl/I+Dh3WX/tgoBHWWs/u7o0MDCtfZtEa/llYKXBf6lPdO5UXnH
MHZyI0x4pAYnQAIjO6MG5SAX7c0zOS16J6dty0JywQe5RzApvhegflnDzn43OGDj
95p1bZQ0FuIFrux7TyK2vLtb2ZEm26GUYxlYQt8j9I6Xz7pQ1qkP2VsfwSG1iHPY
/pBOc8lDohP+MEbsj4io5vaj/oO6KtGW1R8nKAzSQxLKLwgHTlDeeHo4yNP7mKvB
5JwOebhWeGwIgfqi08S5Ag0EWjhx1wEQAPRJqyDE40uYGG9ZlGiN84k0NIUA0sCt
tZ1jp5GR7m6oAzdbnq4zsX1S8DE2AmkiYAzzpI3IRvWJrWp9T077MER9k5CWG9Gl
Rg/snaDg5KfIaQENL8FjjFJ/yAqIlVlA/KMUvPWTr+ISqjMZPRbgOZMwgPCnLvgc
0QOCD0Obm5Z2FmRm5zIWGouzOOIEhHA+kWJ90msR52xgFQE/xJ25bTVRNjqOqrSn
95VPkydYvC+quWmuWnwfIa8yPTI8smocYSJFkSSVM/6FNMK6s0Rb73YzdVgdFIBy
47OL2dLsNoDVBUilLxSp2BtU64jPGcdimxzoeN+AfiRw5NV6cjHv3Ii2PtsmH8iZ
yeolj5DmhTn+Fh/rrgxKls5m65aVJqyI/6nRGrSN3QfwTHe3lXnb1jSlp03E4yE9
O/+fGvXbCPeaR60gzlHez0towT+VCCSsBVekvVXoa3Rki4JR8KtF5IZNDleR31Ln
me+yb5/hHMAZvisez5pdYIqKqJ5SFrW09LQo1nrashJagyoNKdbFJNYgIU2K4lf/
Zi37mFF0b/Ng+t99HTzDiXEdSd9wmDzoXCzIcuDAw5t1KuWCEoBY44L2vxYJl1ba
lvlsqeQLQm1knB7vff7iTmwVgnou2naLSHc+XtyjkhBHEzCOijYmQ1xXXAYVpTro
4Vaddn/kB/bLABEBAAGJAjwEGAEKACYWIQR7YQLFD+yrLxyxpwnQpHCZoznGwgUC
Wjhx1wIbDAUJB4YfgAAKCRDQpHCZoznGwp5vEACEFRL+9H8ocz360WJNaq6NBjWO
bVl69F6Dwd+cSatLXvAmpkInFi8rrYDLsIefoLrKYHqOyC3WHspjxd3NUPXPlG4s
EPMWn0tfPMnTwVREABy2g4qc15eBvTwVD3bipJ7Vh9Nyt3ZW4ffrnubLyqFwHtD3
3fnIszqRx/Wu0Ldbt7e5/fEIoj4enlJnoKUqEDL7yhWTEjznGf+ARY6YUxaPdB4t
VFdYhiKjegV7/YcGsLmdoXW15tfTpfqsts0ZUO/NhVR5CwvvSZhNuBvWA9svXSBp
UlkRhKCuUYNy0qGTZyslUsAcfEPTlDro74Cpk1eCN9dr4loeF+dSAciKC7g+DX9B
Bjs6fkxQNYh6psSD04HvauVAdZ+FmVwdntXY328h2arbc0POdz+7SH9n+rp3OOg7
wMVIdLJ0q2PHYqzCwtZYp1FvkCHd7qaEvpzYbW+m8AZ5/VaBB5xnHygqQUZaMaRV
5WIdYpTs901xPKNq6WvE3goVs03FSZyCGZxz/cHPycI6MnoyS9+ThYd//RdiTBdg
+r1FdVKz4qJy1xSkD9kHAk5dsTsxEBuvgk4D9jxuSg6C4YYsR+4nM3wwuXgRPWYL
1TVO8wjBkUOLkFJcs+RwMtgGbIh1ZFteKT6uz0ljbrf68O9bUYvxRKqY1Wi0nURJ
mC/ocTK0naTWcOF84w==
=nWda
-----END PGP PUBLIC KEY BLOCK-----

Download PGP Key