Waybook takes security very seriously. If you don’t need to read through all of our documentation, here are the headline features we offer.
Your data is encrypted in transit and at rest to keep it safe.
All servers are located within a secure Digital Ocean cloud environment.
Waybook operates a defense-in-depth approach to network security with multiple redundant firewalls and allowlists.
Data partners used for billing and other services are ISO27001/SOC-1-2-3 certified.
Single Sign-On (SSO), Multi-Factor Authentication (MFA), and System for Cross-domain Identity Management (SCIM) are supported to keep your employees safe with enforced MFA available for teams.
Both on-premise and remote monitoring systems collect data 24/7 to alert Waybook engineers.
Data is backed up to an off-site, append-only external vault to protect against ransomware attacks.
Written security and disaster recovery policies alongside Infrastructure-as-Code playbooks enable Waybook’s engineers to keep your data safe and available, even in worst-case scenarios.
Follow these links for more information:
Protecting Your Data
Waybook takes security very seriously and has the following features to protect your data.
All data in the Waybook datastores are encrypted at rest with LUKS and in transit using TLS.
Complete database snapshots are stored in a remote, append-only vault each night and held for 365 days. This ensures that even if Waybook’s primary data stores were compromised, your data can still be retrieved and made available.
Employees can sign-in using Single Sign-On services such as Microsoft Azure AD and Google Workspaces. This means employee passwords never touch Waybook’s servers and access can be controlled from centralized user repositories.
Multi-Factor Authentication (MFA) can be used when logging in, with the ability to enforce MFA at a team level.
All billing data is maintained in Stripe, a PCI-DSS-compliant billings provider trusted by millions of teams around the world.
Waybook’s secure authentication section disallows the use of vulnerable scripts and headers using the latest Content-Security-Policy (CSP) headers. Many applications operate their login and other pages alongside the rest of the application, increasing the risk of rogue scripts being able to exfiltrate employee credentials.
An internal audit log of all actions made by team members is available within the app. Additionally, data for forensic analysis is available by request including exact access time and remote IP address information.
On-Premises Hosting Option for Enterprise Clients: For organizations seeking additional security control, Waybook offers the option to host the platform on your own premises. This allows you to manage and protect your data within your existing infrastructure, without compromising the robust security measures provided by our standard hosting solutions.
Securing The Network
Waybook takes security very seriously and has the following features in place to secure the network.
Waybook operates behind Cloudflare’s Web Application Firewall that provides real-time monitoring, alerting, and protection from most threats including Distributed Denial of Service (DDOS) attacks.
Firewalls at the boundaries of Waybook’s Virtual Private Cloud (VPC) ensure only those servers that need to communicate with the Internet are allowed to. Within Waybook’s VPC, a strict allowlist determines which servers each machine is allowed to communicate with.
All network communication with customers is encrypted using TLS. Waybook even offers TLS protection for customers using their own domain names via the use of CNAME e.g. playbook.my-company.com.
All developers and tools accessing the Waybook VPC must provide unique and revocable SSH keys.
Incoming application requests are logged in a centralized logging system in order to analyze patterns and provide historical records in case of data forensics.
Checking The Code
Waybook takes security very seriously and has the following features to check our code to ensure your protection.
All code is stored in git repositories. Changes must be checked in before they can be deployed ensuring a complete history of every version of the application is maintained.
Code dependencies are analyzed to identify vulnerabilities according to the latest CVE advisories.
Testing against the OWASP Top 10 is conducted to ensure that Waybook remains safe against the most common attacks in use today.
All Waybook employee access to Waybooks’ management systems is protected by a separate authentication system requiring MFA codes.
Deployments of code to Waybook’s systems utilize a Continuous Integration/Continuous Delivery (CI/CD) model, vastly reducing the chance of breaking changes affecting customers.
Waybook’s infrastructure is created using an Infrastructure-as-Code framework, enabling Waybook to quickly tear down and rebuild its entire infrastructure. In the event of a disaster, Waybook can reprovision the entire system either within the previous Virtual Private Cloud or if needed in a completely new vendor.
Availability and Continuity
Waybook takes security very seriously and has the following features in place to ensure availability and continuity.
Waybook employs multiple, redundant uptime checks that monitor not just the core application but individual components to ensure the system is operating within bounds.
Written guidance on what to do in the event of failures allows engineers to quickly isolate faults, put fixes in place, and make changes to both code and documentation to reduce the likelihood of it occurring again.
While Waybook is not yet ISO27001 or SOC 2 certified yet, it is something that is on the roadmap. Many necessary components are already standard practice within Waybook and the wider team.
Automated pen tests have been performed against the system to detect any vulnerabilities. A complete audit has not yet been conducted but is on the roadmap.