This document provides an overview of the security measures implemented by Caribou. The document covers platform, data and organisation security measures.
“GCP” Google Cloud Platform
“VPN” Virtual Private Network
“VPC” Virtual Private Cloud
Caribou’s core production infrastructure is hosted on GCP, an ISO27001/SOC 2 compliant vendor. The production environment is completely separated from testing environments through separate accounts and VPCs.
Access to Caribou’s production infrastructure is restricted to a limited number of Caribou employees. All systems have controlled access, and privileged access is only granted on a case-by-case basis where required.
GCP’s security controls restrict physical access to data.
As a general principle, all of Caribou’s data is encrypted while being transported across networks and when stored (in transit and at rest). The encryption methods employed are industry standard.
Authentication services are handled by Auth0, a SOC 2 compliant vendor. Caribou does not store or manage passwords, either in plaintext or cryptographic hash form.
Additional information on GCP security can be found here https://cloud.google.com/docs/security/overview/whitepaper.
All customer data is encrypted using 256-bit AES, or better, with symmetric keys. These data keys are encrypted themselves using a key stored in a secure key store and changed regularly.
All data in transit is encrypted with TLS > 1.2 (for public APIs) or WireGuard (for internal communication).
Communication between all internal services is controlled and secured within the production VPC. Any external internet-accessible services are tightly controlled using access control policies.