Membermeister is a cloud hosted software platform which enables small to medium sized businesses in the dance, fitness and teaching sector to stay on top of their admin.
As a business that handles a lot of personal data we take extensive precautions and employ a best practice approach to keep our customer data and their customer’s personal details secure.
SSL encryption for in-transit data
All data that is handled by our website is strongly encrypted using industry standard SSL encryption. For this we use a signature algorithm of SHA-256 with RSA Encryption - in plain English: very strong encryption.
The authentication mechanism uses AES_128_GCM and ECDHE_RSA as the key exchange mechanism and we enforce SSL for all connections even if the initial request is made in an insecure way over http.
The connection itself runs over TLS 1.2. This is important as many vulnerabilities have recently been found and been exploited in older versions of TLS, including the well-known Heartbleed bug.
Data storage on RDS
Our database is hosted with Amazon Web Services on a MySQL database server in a service called Amazon RDS (Relational Database Service).
Our database is currently physically located in a datacenter in the eastern United States. Our provider AWS is fully GDPR compliant.
We have plans to move our database to Europe in order to have it physically closer to our customers. We're doing this to increase performance and reduce latency.
We’ve chosen MySQL as our database as we believe that tried and tested systems have had more time to mature and many vulnerabilities have been detected and removed by now.
Our database on RDS is backed up daily onto Amazon S3, a secure, durable, highly-scalable cloud storage platform. S3 is designed for durability. Data on S3 is redundantly stored across multiple facilities and multiple devices in each facility. Importantly the storage is separate from RDS and we keep rolling backups for 35 days.
In addition we are able to deploy read-replicas or a hot-standby database and can scale capacity up in a matter of minutes should the need arise.
The application servers are hosted on heroku and use transient dynos that do not provide any on-disk file storage facilities. This makes them more secure than traditional servers which can potentially receive and execute malicious file uploads.
SQL injections and cross-site scripting
We use Ruby on Rails, a tried and tested web application framework, for all core parts of the membermeister application. Rails provides a robust feature set that guards the application against common threads including session hijacking, replay attacks, SQL injection and cross-site request forgery (CSRF).
More details can be found at this link.
Three factor authentication
Attackers will usually look for the weakest point of resistance and we try to raise the barrier by protecting our email accounts, heroku account and AWS login through three factor authentication. This will prevent an attacker from gaining access to our account even in the case of compromised passwords.
We use password managing software to generate unique, strong passwords for all websites we use and accounts we create. This will mitigate problems should one of our suppliers be the victim of data theft as one set of credentials will not be reusable on another site.
In order to access our database server and other services directly we use IP whitelists in combination with an encrypted VPN connection and a strong password policy.