SECURITY POLICY

Security Policy

At Thrive Tribe Technologies, we know that our customers rely on us as an important part of their business processes. We take this responsibility very seriously and as a result, the security and reliability of the software, systems and data that make up the Thrive Tribe Technologies platform are our top priority.

Infrastructure Security

The Thrive Tribe Technologies application is hosted and managed within the Amazon Web Services (AWS) cloud computing infrastructure – the most secure cloud computing environment available today. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. AWS inherently protects from threats by applying security controls at every layer – from physical to application – isolating applications and data, whilst rapidly deploying security updates without service interruption.As a result, the Thrive Tribe Technologies application is afforded all the benefits of being hosted on the AWS infrastructure, including:

     ● Regular security assessments and compliance auditing
     ● Ongoing penetration testing and vulnerability assessments
     ● Real-time antimalware and antivirus protection for file systems, memory, processes and registry database
     ● Rolling updates and security patching with zero downtime
     ● Environmental safeguards
     ● Network security safeguards
     ● Data security safeguards    
     ● System security safeguards
     ● Vulnerability management
     ● Backups
     ● Disaster recovery
     ● Privacy
     ● Restricted access to customer data
     ● Employee screening and policies
     ● Dedicated security staff

Additionally, AWS provides certification reports that describe how the AWS Cloud infrastructure meets the requirements of an extensive list of global security standards, allowing Thrive Tribe Technologies to meet specific government, industry, and company security standards and regulations, including:

     ● ISO 27001
     ● SOC
     ● PCI Data Security Standard
     ● FedRAMP
     ● Australian Signals Directorate (ASD) Information Security Manual
     ● Singapore Multi-Tier Cloud Security Standard (MTCS SS 584)

For more information, please see the AWS Security page.

Application Security

The Thrive Tribe Technologies web application adopts the OWASP Top Ten and OWASP Mobile Top Ten as a means of ensuring application code is free from flaws and security vulnerabilities. The OWASP Top Ten is a set of powerful awareness document for web and mobile application security. The OWASP Top Ten represents a broad consensus about what the most critical web and mobile application security flaws are. Project members include avariety of security experts from around the world who have shared their expertise to produce a list of the top ten security vulnerabilities affecting web and mobile applications.

Adopting the OWASP Top Ten ensures Thrive Tribe Technologies is protected against:

1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10. Unvalidated Redirects and Forwards

Adopting the OWASP Mobile Top Ten ensures Thrive Tribe Technologies is protected against:

1. Weak Server Side Controls
2. Insecure Data Storage
3. Insufficient Transport Layer Protection
4. Unintended Data Leakage
5. Poor Authorisation and Authentication
6. Broken Cryptography
7. Client Side Injection
8. Security Decisions Via Untrusted Inputs
9. Improper Session Handling
10. Lack of Binary Protections

For more information, please see the OWASP website.

Infrastructure Security

The Thrive Tribe Technologies application uses the Stripe payments service for the secure transaction and storage of all payments.

Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

For more information see: https://stripe.com/docs/security/stripe