Security


Security is of paramount importance at Caribou. We are registered with the Information Commissioner’s Office in the UK, and treat all personal information as per the ICO’s recommendations.

Services & Infrastructure

  • Caribou hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS best practices which allow us to take advantage of their secured, distributed, fault-tolerant environment. To find out more information about AWS security practices, see here.
  • All access to Caribou websites is restricted to HTTPS encrypted connections.
  • All Caribou services use encryption in transit.
  • Caribou uses database backups. On an application level, we produce audit logs for all activity, forward logs to centralized storage (AWS CloudWatch) for analysis.
  • All data held in Caribou’s databases and databases backups is encrypted at rest using the industry-standard AES-256 encryption algorithm.
  • We use AWS Cognito. See their security practices here
  • We use AWS CloudTrail to monitor API and account activity.
  • We utilize AWS Secrets Manager for protecting and rotating our secrets.
  • Caribou enforces policies that require 2-factor authentication (2FA) on GitHub and AWS to ensure access to cloud services is protected.
  • We use security static and runtime analysis tools like Snyk, AWS inspector, AWS GuardDuty, AWS Security Hub, AWS Access Analyzer and AWS Detective to continuously scan for vulnerabilities.
  • Caribou supports single-sign-on (SSO) via GitHub.com for authentication.

Data and Access to repositories

  • We require the minimum set of GitHub permissions that Caribou needs to function:
    • Read access to the code.
    • Read access to pull requests.
    • Read access to the user email.
  • All access to source code repositories is performed using encrypted connections via TLS. Access to private repositories is obtained via a token. Caribou never writes to repositories.
  • Caribou does not persist source code files. The system only retains the source files for the duration of the analysis and then deletes them immediately. We only persist metadata about the progress of the migration to our database.
  • Access to any customer data is limited to authorized employees who require it for their job.

Disclosure policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@hellocaribou.com. We will acknowledge your email within three business days. Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within five business days of disclosure.

Please make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Caribou service. Please only interact with accounts you own or for which you have explicit permission from the account holder. We’d also like you to refrain from:

  • Social engineering or phishing of Caribou employees or contractors.
  • Any attacks against Caribou’s physical property or data centers.

Thank you for helping to keep Caribou and our users safe!

Incident response

  • Caribou implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation, and post-mortem. All employees are informed of our policies.
  • We use a software development lifecycle in line with general Agile principles. When security effort is applied throughout the Agile release cycle, security related software defects can be discovered and addressed more rapidly than in longer release cycle development methodologies. Software patches are released as part of our continuous integration process. Caribou performs continuous deployment. In this way, we are able to respond rapidly to both functional and security issues. In this way, Caribou can achieve extremely short mean time to resolution for security vulnerabilities and functional issues alike.

Customer Data Enquiries

In the event of a privacy complaint, Caribou will:

  • Investigate the matter in a commercially timely matter.
  • Report findings of the investigation to the consumer within 5 business days.
  • Provide remediation and support. In the event of a subject access request and for data where the right applies, within 30 calendar days, Caribou will:
  • Ask for enough information to judge whether the person making the request is the individual to whom the personal data relates or the individual’s legal representative. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
  • Ask for information that you reasonably need to find the personal data covered by the request.
  • Let the individual/individual’s legal representative submitting the request know whether any personal data is being processed.
  • Provide the individual/individual’s legal representative with a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people.
  • Give the individual/individual’s legal representative a copy of the information comprising the data; and details of the source of the data (where this is available).

Contact

Caribou is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at security@hellocaribou.com, and our PGP key can be found here

It is the Security Team’s responsibility to see this policy is enforced. Last updated: February 25th, 2022.


Is there anything that doesn’t make sense? Please let us know here