Before delving into technical details, it's important to note some information about data. To ensure consistent performance worldwide, our data is distributed across 75 edge locations. However, all data we gather from customers and visitors is strictly segregated from other application and services and is exclusively stored in the EU, specifically in Ireland. See a full overview of all data points and their locations here.
At Unless, all visitor data is stored electronically on Amazon Web Services infrastructure located in their Eu-West-1 datacenter cluster in Ireland. Our application and database servers operate within a Virtual Private Cloud with no external sources allowed to connect to the database. We retain data for no longer than 365 days.
Data collected through Unless is solely to benefit our users and customers. We do not utilize this data unless consent is received from an admin of the Unless account, with explicit details about its intended use.
We prioritize security by design, implementing measures such as operating live mode in a read-only state, serving static data, and concealing it behind CDN network endpoints for DDoS protection. Edit mode controls are provided via an API, also fortified with internal CDN distribution and DDoS protection.
With this architecture comes a range of beneficial effects, including integrated DDoS mitigation systems with edge services, drastically reducing time-to-mitigate. Stateless SYN Flood mitigation techniques verify incoming connections and pass them only to the protected service. Auto-traffic engineering systems work to disperse or isolate the impact of volumetric DDoS attacks, while firewalls provide application layer defense.
Our infrastructure operates using Lambda functions as separate atomic blocks of code which fire on demand and don't exist when idle. This makes them much more difficult to penetrate than traditional cloud server instances which must remain up and running at all times. This "serverless architecture" contains no OS maintenance, scaling responsibility, or use of physical, virtual, or cloud server instances.
We ensure data-at-rest is encrypted using FIPS 140-2 validated hardware security modules, and data in transit employs TLS using SHA-256 with RSA Encryption. During processing by a Lambda function, data is protected in a shielded Lambda container.
As a SaaS provider, Unless does not distribute new software versions in the way software vendors would. Our service represents one version that is constantly receiving our attention and focus regarding security protocol and development efforts.
Our software developers employ secure coding standards, with ongoing reverse reviews and automated unit testing. Our software is tested internally, and critical features are released in beta to a select number of test customers for live field testing.
Following the completion of formal code review, all deployment procedures are automated and necessitate no human involvement, except for user testing. We conduct continuous monitoring of performance, availability, and security, utilizing automated procedures as well as random manual checks.
We enforce extra firewalls that limit the opening of only necessary ports between internet-exposed servers. Furthermore, we employ an Intrusion Protection System (IPS) software as a second level of security, which automatically blocks access once suspicious login activity is detected. Our threat detection service actively determines the presence of malicious and unauthorized behavior to prevent security breaches.
Only Unless engineers which require such access to perform their job efficiently are given access. Engineers are allocated varying access rights on system components according to their task requirements. Unique credentials are assigned to all authorized personnel. SSH Key-Based authentication is used for server access. Security access rights and privileges are reviewed monthly.
We ensure patch management has no impact on security vulnerabilities. Our microservices architecture contains interchangeable pieces that can be updated separately, without interdependency, allowing us to apply pertinent patches or bug fixes specifically on the affected system component. In addition, we use continuous data backups for point-in-time recovery (PITR). Full database backups are conducted continuously, and we maintain electronic copies of these backups for 35 days. Our databases integrate encryption at rest and data in transport.
There is a legal retention policy for personal data that necessitates the deletion of data, including data in electronic files, databases, and backups. Information is encrypted using 256-bit Advanced Encryption Standard (AES-256).
We allow customers to further improve their organizational security, by offering different user access levels.
- Admins: all rights within a customer account
- Publishers: everything except user management
- Editors: only content editing, but no publishing.
The customer has the sole right of granting access to anyone. Unless employees have no access by default. Passwords are always hashed and salted using bCrypt. Additionally, data at rest and in motion is always encrypted by using TLS with at least 128-bit AES encryption. Data transport is over TLS using SHA-256 with RSA Encryption.