WCfootball Security
Introduction
WCfootball users entrust us with billions of their notes, projects, and ideas. We must maintain the confidentiality and security of that data in order to earn your trust. The information on this page is meant to provide transparency about how we protect that data. As we incorporate new security features and enhance the security of our products, we will keep on updating and expanding the information provided here.
Security Program
Within WCfootball, security has a specialized squad. The mission of our security team is to safeguard the data you store with us. We oversee a security program that focuses on the following areas: product security, infrastructure controls (physical and logical), policies, staff awareness, intrusion detection, and assessment activities.
The security team manages an in-house Incident Response ("IR") program and instructs WCfootball workers on how to report suspicious behavior. Our IR team has protocols and tools in place to respond to security threats, and we are constantly evaluating new technologies to increase our ability to identify attacks on our infrastructure, services, and people.
We regularly check our applications and infrastructure for flaws and fix any that could jeopardize the security of consumer data. To broaden the scope and depth of these audits, our security team is always evaluating new tools.
Network Security
WCfootball's network borders are defined by a combination of load balancers, firewalls, and VPNs. We utilize these to regulate which services we expose to the Internet and to separate our production network from the rest of our computing infrastructure. We restrict who gets access to our production infrastructure depending on business needs and require strong authentication.
Account Security
WCfootball never stores your password in plaintext. When we need to save your account password securely in order to verify your identity, we employ PBKDF2 (Password Based Key Derivation Function 2) with a special salt for each credential. We choose the number of hashing iterations to find a balance between user experience and password breaking complexity.
While we do not demand that you create a strong password, our password strength meter will encourage you to do so. To slow down password guessing attacks, we set limits on both a per-account and per-IP address basis for failed login attempts.
WCfootball provides two-step verification ("2SV"), commonly known as two-factor or multi-factor authentication, for all accounts. Our 2SV technique is based on a one-time password scheme that is time-based (TOTP). All users can generate codes locally on their mobile device using an app or have them delivered as a text message.
Product Security
Securing our Internet-facing web service is critically important to protecting your data. Our security team drives an application security program to improve code security hygiene and periodically assess our service for common application security issues, including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.
Our web service uses OAuth to authenticate all third-party client applications. OAuth allows you to connect a third-party application to your account without giving the program your login credentials. When you successfully log in to WCfootball, we send an authentication token to the client so they can continue to verify your access going forward. As a result, you will never need to have a third-party application save your username and pass
Every client application that communicates with our service employs a well-defined thrift API for all actions. We are able to create authorization checks as a core construct in the application design by brokering all connections through this API. The service does not allow direct object access, and each client's authentication token is validated upon each access to ensure the client is authenticated and authorized to access a specific note or notebook.
Separation of Customers
The WCfootball service is multi-tenant and does not separate your data from the data of other users. On the same servers as your data may be the data of another user. Unless you specifically share it with another user, we consider your data to be private and do not allow access to it.
Media Disposal and Destruction
If any storage medium was ever used to hold user data, we securely remove or destroy it. To accomplish this, we adhere to NIST's special publication 800-88. Check out this blog post for an example of how we securely destroy failed hard drives.
We use local disks, persistent disks, and Google Cloud Storage buckets among other Google Cloud Platform ("GCP") storage solutions. To make sure that reusing storage doesn't expose confidential client data, we make use of Google's cryptographic erasure procedures.
Activity Logging
The WCfootball service logs client interactions with our services on the server. This covers activity logging for activities made using our API as well as web server access logging. Our client applications' event data is likewise collected by us. In the Access History area of your Account Settings, you can check the most recent access times and IP addresses for any application connected to your account.
Transport Encryption
WCfootball protects your data in transit using industry-standard encryption. This is known as transport layer security (TLS) or secure socket layer (SSL) technology. In addition, for the WCfootball service, we enable HTTP Strict Transport Security ("HSTS"). We support a variety of cipher suites and TLS protocols in order to provide a balance of strong encryption for browsers and clients that support it, as well as backward compatibility for legacy clients that require it. To support our commitment to protecting your data, we want to continue upgrading our transport security posture.
STARTTLS is supported for both inbound and outgoing email. Your email will be secured in transit to and from the WCfootball service if your mail service provider supports TLS.
We protect all customer data flowing between our data center and the Google Cloud Platform using IPSEC with GCM-AES-128 encryption or TLS.
Encryption at Rest
We started moving the WCfootball service to Google Cloud Platform (GCP) in late 2016. Customer data stored in GCP will be safeguarded by Google's built-in encryption-at-rest technologies. Technically, we transparently and automatically encrypt all data at rest using AES-256 using Google's server-side encryption capability using Google-managed encryption keys. Here is further information on how encryption at rest safeguards your data.
Resiliency / Availability
We operate a fault tolerant architecture to ensure that WCfootball is there when you need it.
In our both our physical data centers and our cloud infrastructure, this includes:
We back up all customer content at least once daily. We do not utilize portable or removable media for backups.
Physical Security
We run the WCfootball service utilizing a combination of cloud services and physical data centers.
We secure our infrastructure in a secured, locked cage for our data centers, which includes 24x7x365 monitoring. Access to these data centers requires at least two factors of authentication, however biometrics may be used as a third factor. A SOC-1 Type 2 audit of each of our data centers certifies that they are capable of keeping our infrastructure physically safe. Only employees of the data center and operations teams of WCfootball have physical access to this infrastructure, and our operations team is informed whenever someone enters our cage along with a video of the incident.
For our cloud services, we use the Google Cloud Platform. Google has undergone multiple certifications that attest to its ability to physically secure WCfootball’s data. You can read more about Google Cloud Platform’s security here.
All WCfootball data resides inside Malaysia.