Platform Security



Secure Environment

WEM platform is hosted in secure environment. There is no direct access to application or data services. Active protection against most common security risks (such as OWASP top 10).

Integrity and availability

WEM platform’s web frontend as the application services run in a high-availability cluster. All mutations in the database are transactional. Referential integrity is enforced in the database. Full transaction logging and centralized backups to a separate location.

GDPR

WEM platform is GDPR compliant. The team has performed extensive GAP analyses which resolved in several technical and organizational measures in order to fully comply to GDPR regulations. Data protection / privacy legislation & ISO: WEM uses CloudVPS ISO for data protection; employees are informed of privacy procedures as part of the ‘Handbook of employee Rules’; employees have a standard NDA within their employee contract; WEM offers the possibility to sign a ‘Processor Agreement’.

ISO27001 Certification

WEM platform is ISO27001 certified through its cloud hosting provider in the Netherlands (CloudVPS). Certificates are provided on receipt. By default all content is owned by the Customer. This includes the applications as well as the actual data.

Performance Logs and CICD

Performance and activities are logged for all the components in WEM platform. Detailed user & access logging can be modelled for specific applications. WEM platform maintains a CI/CD setup. All updates go through QA. We run automated regression tests before each release. DTAP environment is maintained.

Backup

WEM stores full backups of all databases up to 28 days. Backups older than 28 days are automatically deleted.

Restrictive Filtering

WEM platform uses a firewall and a reverse proxy that handles the web requests before they are sent to the application servers. We have rules and restrictions that every web request must meet before they are forwarded to the application servers. Using this ‘gatekeeper’ functionality WEM team can detect and prevent attacks to services. For individual applications it is also possible to set of extensive access control, basis on IP addresses or ranges of IP addresses. This can be used to implement whitelist or blacklist approach to restrict/allow access to individual applications/portals.

Vulnerability scanning

WEM team periodically runs automated pentests on monthly basis. It is also possible to run pentests for applications that are built with WEM. These pentests are run based on customer requests on a case to case basis.

Certificate protection

The X509 server certificates are generated and stored on the NGINX webservers that serve as both a reverse proxy and a TLS termination proxy. A CSR is sent to a CA, the private keys do not leave the NGINX servers (we run multiple NGINX servers in a HA cluster). The certificates are renewed every three months. WEM has been designed keeping in line with the need for security for the enterprise. Users have a number of security features to incorporate in their applications to make it as secure as per their requirements.