Are Our Data Secure?
We use industry-standard protocols and best practices to protect your data and privacy.
In today's complex and regulated environment, our users entrust us with the protection of their data using tools and practices that comply with industry standards. This page provides an overview of the efforts made by Netatoo to meet these requirements.
In today's complex and regulated environment, our users entrust us with the protection of their data using tools and practices that comply with industry standards. This page provides an overview of the efforts made by Netatoo to meet these requirements.
Database and Access Security
To begin with, we secure our persistence layer by limiting access to our primary application database to the application layer and a fixed set of known IP addresses belonging to Netatoo. This access limitation is achieved through a combination of firewall rules, authentication mechanisms (requiring users to prove their identity), and authorization through role-based permissions.
Data Backup and Restoration
We address the possibility of catastrophic application data loss (e.g., due to a natural disaster) by automatically creating database backups with a geo-redundant approach.
- We create full and differential backups, each encrypted with the AES-256 algorithm.
- Full database backups occur every few hours, while differential backups generally occur every hour, and transaction log backups generally occur every 10 to 15 minutes.
- In the event of data loss, we can restore the data to a specific point in time to minimize information loss. The integrity of the backups is semi-automatically and regularly verified to ensure that the stored data is compliant.
- Backups are retained for 90 days and then destroyed.
Security Audit and Threat Detection
To help us maintain regulatory compliance, understand database activity, and better understand discrepancies and anomalies that could indicate suspected security breaches (another aspect of the GDPR in the EU), we have deployed advanced auditing enabling threat detection on our servers. These services detect potential threats as they occur (e.g., abnormal database connections, SQL injection vulnerabilities) and immediately alert our team so they can take necessary action. In the specific case of the GDPR, this service is a key element of the technical machinery that allows us to detect data breaches and notify supervisory authorities in the unlikely event that such a situation occurs.
Connection Security and HTTPS Protocol
At the application layer, we enforce all incoming requests to use secure HTTPS connections (HTTP over TLS). Depending on the client device, the connection may use TLS 1.0, TLS 1.1.1, or TLS 1.2. We prohibit connections using outdated and vulnerable protocols SSL 2 and SSL 3.
Advanced HTTP Security Headers
Accepted TLS connections are encrypted using an SSL certificate employing the strongest web standard. As part of all HTTPS responses, our servers include a number of advanced security headers. These notably include:
- X-XSS-Protection instructs modern browsers to terminate communications when they detect reflected XSS (Cross-site Scripting) attacks.
- Content-Security-Policy instructs browsers to take strict measures to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from executing malicious content in the context of a trusted web page.
- Strict-Transport-Security, also known as HSTS. Instructs browsers to only access ballejaune.com / openresa.com using HTTPS (i.e., never use HTTP). We have deployed this header with a long lifespan.
- Expect-CT requests a client/web browser to enforce certificate transparency requirements (i.e., verify that our site's certificates appear in public CT logs), helping prevent the use of incorrect Netatoo certificates.
- Referrer-Policy allows us to control the value of the "referer" (sic) header for links outside our pages. In our case, we specify that the "referer" header should not be set when navigation results in a downgrade from HTTPS to HTTP.
Results of Independent Security Audits
Netatoo receives an "A" rating from the independent service securityheaders.io for verifying the various elements in place. You can run the test on demand for ballejaune.com and openresa.com and view the report for yourself. We also encourage you to compare the test to other websites you use or intend to use.
Netatoo's application hosting servers also receive an "A+" rating from the independent Qualys SSL Labs server test, an industry standard. You can run the test on demand and view the report for yourself. The report notes that we are not vulnerable to some of the most recent vulnerabilities like BEAST, POODLE, and Heartbleed. Again, we encourage you to compare the test to other websites you use or intend to use.
Attack Prevention and Cookie Security
To help prevent dictionary attacks, our login mechanism further uses account lockout functionality if an incorrect login password is entered multiple times.
Cookies sent by the server to the client for authentication and request verification purposes are always marked with the "HttpOnly" and "Secure" attributes, and their domain and path values are appropriately set for use with ballejaune.com / openresa.com.
Online Payment Security
Regarding online payments, Netatoo is PCI compliant. In practice, all payments are processed directly with the payment gateway of your choice (PayPal, Paybox Verifone). As such, no sensitive payment details come into contact with systems owned by Netatoo (instead, it is seamlessly redirected to your gateway and then managed through a token-based approach).
Transactional Email Security
Transactional emails sent by our services use the latest security features for email validation. These include valid SPF, DKIM, and DMARC policies. In the case of DMARC, our published policy requests recipient servers to quarantine any messages that fail the DMARC test. These features are advanced tools that help prevent spamming, spoofing, and phishing attacks. Naturally, we also include unsubscribe links on all emails we send, and we have implemented a rate-limiting system to help prevent email bombing attacks.
Internal Security Practices at Netatoo
At the organizational level, Netatoo employees have restricted access to data based on "need to know" and "least privilege" security principles. Development and testing systems are deployed on an internal network that is not accessible from the outside. The application source code is managed in a private repository and contains no sensitive information (such as API keys, passwords, or connection strings).
Service Availability Monitoring
In the event of incidents (e.g., application outages, degraded performance, or others), you can monitor the status of our services via Pingdom at the following address: http://stats.pingdom.com/rn0d9ch52vnj/1678478
Ongoing Updates and Best Practices
Finally, we pay particular attention to regularly updating our servers and internal systems to provide the latest security patches. We change our passwords every 60 days and use two-factor authentication on almost all third-party applications and services we use in our business.
Conclusion
We hope this information has helped you understand the main security mechanisms implemented by Netatoo to secure your data. We continually review our security procedures, so this information may well change in the future as we respond to the evolving security landscape.
Contact Us
Postal Address:
Netatoo SAS - BP 43606 - 54016 NANCY CEDEX FRANCE
Email:
support@openresa.com
Updated on четврток, 12 јуни 2025 г.
