Hosting
The Feedback4e platform is hosted on Amazon AWS Frankfurt region servers. Amazon AWS is responsible for hosting servers and we benefit from infrastructure services such as database, CDN, data backup, network level security and physical security.
Hosting on Amazon servers
Your data is stored on Amazon's cloud servers, which are secured with the latest technology and certificates, one of the companies that provide the most secure servers in the world.
Along with all of Amazon's products, ISO, CSA/CCM, IRS 1075 etc. You can find detailed information about where your data is stored on certified servers on Amazon's AWS website.
You can see the work Amazon does to protect your data in the AWS Security Center.
Network Structure
Only ports 80 (http) and 443 (https) are open on our servers. Https (SSL/TLS) communication is done using Amazon high-level encryption certificates. Communication is not allowed without encryption and all http requests are automatically redirected to https. Requests from clients are met by Amazon Loadbalancer, and http requests are directed to our active server in VPC (virtual private cloud).
Application and Operating System
Our SAAS service is located on Windows servers, anti-virus software runs regularly on them and regular Windows updates are made. The data is kept in a database under our control on Amazon (Frankfurt) servers.
Passwords
Sensitive user password data in the database is encrypted with the one-way SHA256 algorithm. Passwords are not stored explicitly. That's why we cannot unlock usage passwords and direct users to create new passwords in case passwords are forgotten.
There is SAML v2 SSO, OpenId and link-based SSO integration that you can use on Feedback4e. If these features are used, there is no need to keep user passwords on our platform. You can log in to the platform by using the MFA feature of the SSO provider.
As an extra security step, accounts can be secured by IP restriction on a customer basis. In this case, customer users can log in to their accounts through the company VPN.
Cookie’s
We use cookies for authentication purposes. We do not store the usage password in the cookie. A random number generated by our platform for that user is kept in the cookie. In this way, the user can be matched and logged into his account. The cookie used for authentication purposes is encrypted.
Data security
All API-based server services are protected by a user role-based enhanced security layer. The codes written in this layer and whether the security layer is used correctly in the software are verified through code reviews and test scenarios.
There is an ID associated with the customer in the database tables. Access to these tables is granted after matching the customer ID of the authenticated user. When incompatibility occurs, the system returns an "Unauthorized Access" error and generates an alarm. These alarms are immediately presented to our admin users and are analyzed and action is initiated, including closing the user account.
The role-based authorization model includes admin, hrbusinesspartner, employee, okrcoach and manager roles. According to the user's profile, the system checks authorization in each transaction. In this way, any employee is prevented from accessing information within the authority of the admin user.
Penetration testing services are received from third party companies once a year.
Logging is done for all user transactions.
The database is backed up daily in Amazon S3 buckets. It is backed up in different zones with double-separated user authorization in the Virginia and Germany Frankfurt regions connected to AWS. SSL/TLS protocol is used together with Amazon Access Key for transferring and reading to buckets after backup. (The transfer is made within the AWS network.)
In addition, monthly image backups of the servers on Amazon are taken in Virginia and Frankfurt. Similarly, application logs are backed up monthly in S3 buckets. We use 2 step verification (MFA) to access infrastructure services on Amazon.
Sharing of data
Your data is not shared. None of your data will be shared with anyone unless you give approval for any third party service.
Right to Access Database
Our database is located under physical security measures in the Amazon AWS Frankfurt data center.
We give the right of access to our database and servers to the technical partner. We do not give server and DB access permission to our other employees.
We do not allow the production database to be used while making developments. By analyzing bugs from logs and stacktraces without using customer data, we can create, recreate and solve the problem locally.
As a general policy, we do not access our customers' company accounts without their permission. However, if a bug needs to be analyzed together with the customer, we can do this by obtaining permission and informing them about the situation.
Monitoring
Amazon AWS offers various tools to control the healthy functioning of our system. We check the data of our servers such as CPU, Memory, Network Traffic with alarms.
In addition, we ensure that an email is automatically sent to the software team when program errors (bugs) occur. We regularly review the log files and take the necessary actions to detect and correct any errors that customers may encounter.
GDPR Compliance
Within the framework of KVKK compliance, your data will not be shared with 3rd party services or institutions without your knowledge. We undertake our compliance with these terms in our contract. However, there are services we receive from third parties. We make these services available only if you agree to use them. At the same time, we allow your users to log in to their accounts by approving the KVKK agreement.
Deletion of Your Data
We delete your data if you request it.