Security
At Storyblok, the security of your information is our top priority. We rely on industry best practices and strictly enforced operational controls to ensure the security of all electronic data you entrust us with.
Access Control
Access to Storyblok is monitored and reviewed by automated tools to identify abnormalities and to inform the responsible authorities. The monitoring includes mitigation of brute force attacks.
Every content change is logged and can be reviewed by your developers in the user activity event stream.
The solution is hosted on Amazon AWS. Amazon AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
Access to the solution’s internal network is only possible using a public/private key pair via Secure Shell (SSH).
Data Protection
The solution is hosted on Amazon AWS in Frankfurt/Germany which has various security certificates like:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- DOD CSM Levels 1-5
- PCI DSS Level 1
- ISO 9001 / ISO 27001
- ITAR
- FIPS 140-2
- MTCS Level 3
The solution only uses secure HTTPS connections to communicate with other systems. There are access controls in place to only grant access to systems that are allowed.
Unusual and malicious traffic is automatically detected by Amazon CloudWatch Alarms and notifications are sent to the responsible Storyblok employee.
Data is backed up to a second physical location using a read replica with automatic failover. Additionally, the data is backed up daily to Amazon S3 with a changelog for a retention period of 30 days. Restoring is possible at any point in time within 30 days.
APIs of Storyblok are using HTTP with the TLSv1.2 protocol for communication. TLSv1.1 is depreciated and will be completely disabled after 01.12.2021. The domain api-tls12.storyblok.com
already only accepts TLSv1.2.
Storyblok uses a web application firewall (Amazon WAF) for its APIs to mitigate cross-site scripting, brute force, and SQL injections attacks. If an attack is detected a rule is added to the WAF to deny access to the attacker.
Storyblok performs continuous automatic security tests through Detectify as well as manual periodical DDOS tests on the API.
Storyblok performs monthly recovery tests that include point-in-time database recovery and recovering of static assets through the version control feature of Amazon S3.
Change Management
Storyblok applies a systematic approach to managing change so that changes to customer-impacting services are thoroughly reviewed, tested, approved, and well-communicated. The Storyblok change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are:
- Reviewed – Peer reviews of the technical aspects of a change are required.
- Tested – Changes being applied are tested to help ensure they will behave as expected and not adversely impact security.
- Approved – All changes must be authorized in order to provide appropriate oversight and understanding of business impact.