Freename Security Processes
Security
Security Audits: We engage with external cybersecurity firms to conduct periodic and comprehensive audits of our smart contracts and infrastructure. These audits include static and dynamic analysis of our codebase, dependency checks, and penetration testing of our network. For instance the most recent audit for our Smart contracts has been conducted in February 2024 by Resonance Security.
Continuous Monitoring and Incident Response: Our security operations center (SOC) operates 24/7, employing tools like Sentry and Snyk to monitor security logs and alerts across our infrastructure. We have established an incident response protocol that is activated in response to detected anomalies.
Regulatory Compliance and Standards: We adhere to compliance frameworks relevant to our operations and geographical requirements. This includes aligning with NIST guidelines for cybersecurity and blockchain-specific security practices and OWASP best practices for our publicly exposed web applications.
API Access and Authentication Controls:
Authentication: We implement OAuth 2.0 for managing API access. This protocol allows third-party applications to grant scoped access to our APIs without exposing user credentials. OAuth 2.0 also supports token expiration.
Authorization: Access to our APIs is controlled through a combination of role-based access control (RBAC) and attribute-based access control (ABAC). These methods ensure that API clients are granted access only to resources that are necessary for their role or attributes.
API Gateway Security: All API traffic is routed through a secure API gateway that enforces strict access policies, rate limits, and IP whitelisting. The gateway also performs deep packet inspection and threat detection to prevent and mitigate potential attacks.
API Key Management: API keys are used to authenticate requests. We employ a secure key management system that handles the creation, distribution, and rotation of keys. All API keys are encrypted at rest and require rigorous auditing and logging of all access requests.
Multi-Cloud Infrastructure:
Deployment Strategy: We deploy our services across multiple cloud providers, which allows us to leverage unique capabilities and geographical diversity of each provider. Our current Cloud providers are Amazon AWS and Google Cloud.
Regional Segregation: Data is stored in geographically segregated infrastructures across different regions and/or autonomous zones.
Load Balancing and Failover: We utilize load balancing techniques (both at the application layer and at the network layer) to distribute user requests across our servers evenly. In case of a server or provider outage, our failover mechanisms automatically reroute traffic to the nearest operational region.
Data Replication: All critical data is replicated asynchronously across different clouds to ensure data integrity and availability. In the event of data corruption or accidental deletion, we can restore data from a redundant copy stored in a separate region or even in a separate Cloud provider environment.
Data protection and Privacy
Data Encryption:
At Rest: We use Advanced Encryption Standard (AES) 256-bit encryption for all data stored within our systems. This includes personal information, transaction data, and any sensitive digital assets.
In Transit: All data transmitted between our users and our servers is encrypted using Transport Layer Security (TLS) 1.3, the latest version of the internetβs most used security protocol.
Key Management:
We employ a robust key management system (KMS) that adheres to the Key Management Interoperability Protocol (KMIP). Our KMS handles the creation, distribution, and rotation of encryption keys and Smart contracts private keys.
Data Storage Architecture:
Our data storages are designed with redundancy and resiliency thanks to the multi-cloud paradigm.
Data is segmented and isolated according to its sensitivity. Critical data, such as user credentials and personal identifiers, is stored in separate environments with additional security layers.
Privacy and Compliance with Regulations:
GDPR and Swiss Privacy Law Compliance: We are committed to complying with the General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). These regulations guide our processes and policies on data protection, ensuring that we maintain the highest standards of privacy for our users.
Data Minimization and Purpose Limitation: We adhere strictly to the principles of data minimization and purpose limitation. This means we only collect data that is necessary for the services provided and limit the processing of personal data to specific, explicit, and legitimate purposes.
Right to Deletion and Anonymization: Users have the right to request the deletion or anonymization of their personal data. Upon request, we ensure the complete removal of the userβs data from our systems, except where legal obligations require data retention. We also provide options for data anonymization, allowing users to continue using our services without revealing their identity.
Data Protection Officer (DPO): We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategies and ensuring compliance with data protection laws. The DPO is also available to address any concerns our users may have regarding the handling of their personal information.
Supported Blockchains
Ethereum
BSC Smart chain
Polygon
Solana
Base
Last updated