Security & Compliance
Security and compliance are top priorities for Flamelink because they are fundamental to your experience with our product. Flamelink is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of service.
Flamelink uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss. Flamelink makes use of a number of automated tools to ensure security best practices are followed, for example making use of static analysis of code.
Compliance and Certification
According to General Data Protection Regulation (GDPR), entities dealing with any European Union data through a vendor, need a contractual agreement in place with each vendor so the EU knows they’re only doing business with companies that fully comply with the GDPR.
Flamelink provides the same privacy benefits and standards to all our users and does not limit this to European users only. All customer data (including marketing data) is treated in a way that conforms with GDPR. Flamelink stores as little details as possible about you and your project to ensure the security of your data. However, in the event of you requiring support from the Flamelink support team specifically, we’ll use very basic information to adequately assist you to troubleshoot your query. This may include the email address and project ID associated with the project query. The content you add using Flamelink is stored in Firebase and not Flamelink itself.
You may export all your personal data at any time from within the Flamelink application.
More personal data can be processed by Intercom (learn more about Intercom’s Security posture) which Flamelink uses for Support. History of these chat sessions can be provided on request.
Permanent Data Deletion
All users have the right to be forgotten. When terminating a project subscription or deleting your Flamelink profile, all data associated with the project or your user account is permanently deleted.
If you have subscribed to the Flamelink newsletter, you may also unsubscribe at any time by selecting the option from within one of the email newsletters you have received.
ISO and SOC compliance
All Firebase services have successfully completed the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, and some have also completed the ISO 27017 and ISO 27018 certification process. Read more about the individual services here.
Flamelink’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.
Credit card data never touches any of the Flamelink servers, making it compliant with Payment Card Industry Data Security Standards (PCI DSS). Flamelink also uses Stripe provided UI elements for capturing credit card information within the application’s frontend, which communicates directly with Stripe’s servers.
Infrastructure and Network Security
Physical Access Control
Flamelink is a cloud-native service and is hosted on Firebase and the greater Google Cloud Platform. We do not have data centres of our own. Google data centres feature a layered security model, including extensive safeguards such as:
- Custom-designed electronic access cards
- Vehicle access barriers
- Perimeter fencing
- Metal detectors
Read the Google Security Whitepaper for more information.
Flamelink employees do not have physical access to Google data centres, servers, network equipment, or storage.
Logical Access Control
Flamelink is the assigned administrator of its infrastructure on Google Cloud Platform, and only designated authorized Flamelink engineering team members have access to configure the infrastructure based on access roles.
Flamelink undergoes black-box penetration testing, conducted by an independent third-party, on an annual basis. For black-box testing, Flamelink provides this party with an isolated clone of flamelink.io and a high-level diagram of application architecture.
Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities.
Intrusion Detection and Prevention
Unusual network patterns or suspicious behaviour are among Flamelink’s biggest concerns for infrastructure hosting and management. Google Cloud Platform’s intrusion detection and prevention systems (IDS/IPS) rely on both signature-based security and algorithm-based security to identify traffic patterns that are similar to known attack methods.
IDS/IPS involves tightly controlling the size and make-up of the attack surface, employing intelligent detection controls at data entry points, and developing and deploying technologies that automatically remedy dangerous situations, as well as preventing known threats from accessing the system in the first place.
Flamelink does not provide direct access to security event forensics but does provide access to the engineering team during and after any unscheduled downtime.
Business Continuity and Disaster Recovery
Every part of the Flamelink service uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure.
Read more about CDN reliability and redundancy used here. The user-facing Flamelink interface is also built as a Progressive Web App (PWA) using the cached “app shell” model, which adds to network resiliency and offline availability.
The Flamelink services are also situated behind a third party website security company namely Cloudflare. The relevant services utilized by Flamelink are WAF (Web Application Firewall), DDoS mitigation, Bot Management, and DNSSEC.
Flamelink keeps daily encrypted backups of user profile data (the minimum data required to run Flamleink) on the Google Cloud Platform. While never expected, in the case of production data loss (i.e., primary data stores lost), we will restore organizational data from these backups. This organizational data does not include a user’s Firebase project data.
It is important to note that all project-specific data is stored within your own Firebase project linked to Flamelink - either within your Cloud Firestore or Firebase Realtime Database, as well as your Cloud Storage Bucket and Firebase Authentication service. Flamelink does not automatically back up your own data.
You are free to comply with additional backup requirements beyond what Flamelink provides by using the Backup & Restore module or by using Firebase’s backup functionality.
In the event that Flamelink’s application is unavailable, your project’s availability is isolated and is subject to your own security and redundancy setup. This also means that you are not tied into Flamelink and always remain in control of your own data.
In the event of a region-wide outage, Flamelink will bring up a duplicate environment in a different Google Cloud Platform region within a reasonable amount of time.
Data Security and Privacy
Encryption at rest
All data in Flamelink servers is automatically encrypted at rest. Google Cloud Platform stores and manages data cryptography keys in its redundant and globally distributed Key Management Service. So, in the unlikely event of an intruder gaining access to any of the physical storage devices, the Flamelink data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.
Encryption at rest also enables continuity measures like backup and infrastructure management without compromising data security and privacy.
Encryption in transit
Flamelink exclusively sends data over HTTPS transport layer security (TLS) encrypted connections for additional security as data transits to and from the application. This includes data sent through our Content Delivery Network (CDN) and services within GCP, as well as integration with Stripe for all billing related transactions.
All customer data stored on Flamelink servers is eradicated upon a customer’s termination of service. The only exception is non-personally identifiable data that is retained to ensure that the same Firebase project can not qualify for a free trial numerous times.
Flamelink’s API uses Firebase auth tokens for authentication. Authentication tokens are passed using the auth header and are used to authenticate a user account with the API.
The Flamelink API has Cross-Origin Resource Sharing (CORS) enabled only for a small subset of whitelisted domains and is not accessible publicly otherwise.
We know user administration is central to security and management, and auditing user logs is often the first step in both an emergency response plan and policy compliance requirements. All Flamelink customers get admin controls governing identity, access, and usage to keep your data safe, secure, and centrally managed.
Roles within Flamelink are handled at the project level. The system is designed so each user has a singular account that can be reused across multiple projects. Each Flamelink user should have their own account. Access to projects is dictated by role:
Projects can have multiple owners. Only owners can manage contributors (other standard CMS users) for the project and only they have access to a project’s billing information. Standard users can only manage content based on the content permissions set within the project’s database, also taking into account the Cloud Firestore or Realtime Database security rules set for the project.
Basic security rules are provided when you link your Firebase project with Flamelink, but it is highly recommended that these rules are updated and tightened before making your project available to your end-users. These rules are too specific for each project that it is not possible for Flamelink to provide one set of rules that will be optimally secure for all projects.
Secure Application Development (Application Development Lifecycle)
Flamelink practices continuous delivery, which means all code changes are committed, tested, shipped, and iterated on in a rapid sequence. A continuous delivery methodology, complemented by pull request, continuous integration (CI), and automated error tracking, significantly decreases the likelihood of a security issue and improves the response time for the effective eradication of bugs and vulnerabilities.
Release notes and details for Flamelink can be found on the dedicated changelog page.
All Flamelink product changes must go through code review, CI, and a build pipeline to reach production servers. Only designated employees on Flamelink’s engineering team have deployment access to production servers.
We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via a pull request and an internal review.
All Flamelink employees undergo background checks prior to employment.
Flamelink notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact.
Flamelink Solarflare plans include a dedicated customer success manager who holds responsibility for customer communication, as well as regular check-ins and escalations.
If you would like to report a vulnerability or have any security concerns with any of the Flamelink services, please contact firstname.lastname@example.org. We take all disclosures seriously. We will verify each vulnerability before taking the necessary steps to fix it. Once verified, we send status updates as issues are resolved. Please avoid announcing any vulnerabilities publicly to enable us to verify the vulnerability and apply a fix before potential exploitation.
Please use our keybase.io account to encrypt any data if what you need to disclose is of a sensitive nature.