Security and Privacy Overview
At CKEditor, we care deeply about security and privacy. Our Cloud Services are built on a strong, flexible system that protects your data with advanced security measures and constant monitoring. We are certified to SOC 2 Type I standards, which means we follow the industry’s best practices to keep your data secure, available, and private. We also believe in being open and honest, so we keep you informed about our operations.
# Infrastructure and Hosting on AWS
CKEditor Cloud Services uses Amazon Web Services (AWS) for hosting. AWS is a well-known and trusted cloud platform that offers strong security, the ability to grow efficiently, and the ability to follow important rules. By choosing AWS, we ensure our services run on a safe and strong system. This helps us provide our users with the best performance, reliability, and data protection.
# Global Infrastructure
We operate within the US East (Northern Virginia) AWS region and use AWS services to provide services, such as:
-
AWS ECS to manage containerized applications. ECS provides a highly scalable and reliable way to orchestrate workloads, ensuring automatic scaling and distribution of resources to handle traffic spikes.
-
AWS ALB to efficiently distribute traffic. This helps maintain performance and availability, even if some instances experience heavy load or failure.
-
AWS RDS – an engine for databases that provide automated backups, multi-AZ replication, and point-in-time recovery.
-
AWS Elasticache to cache in-memory to ensure faster response times for our users.
-
AWS SNS/SQS for reliable message queuing, enabling asynchronous communication in the system.
# AWS Security Services
AWS provides a wide range of built-in security services that enhance our platform’s protection:
-
AWS GuardDuty actively protects our system. It always watches for suspicious or unauthorized activity in our AWS environment, helping us quickly spot and respond to any possible security threats.
-
AWS Security Hub is a centralized security monitoring and compliance check across the entire AWS infrastructure.
-
AWS AppConfig manages dynamic configuration changes across applications, allowing us to safely and quickly deploy configuration updates without impacting the system’s security or stability.
-
AWS Config continuously monitors and assesses the configuration of our AWS resources to ensure compliance with internal security policies and best practices. AWS Config helps us track configuration changes and identify resources that may be non-compliant.
-
AWS CloudTrail records and logs all API activity and changes across our AWS infrastructure, providing complete visibility into user actions for auditing and incident response purposes. CloudTrail ensures a comprehensive audit trail of every action taken on our resources.
-
AWS Certificate Manager (ACM) automatically manages and provisions SSL/TLS certificates to secure our application traffic. This ensures all communication is encrypted, providing secure connections between the user and our services.
-
AWS Secrets Manager protects sensitive data, such as all configurations and database credentials, by securely storing and managing access to secrets.
-
AWS Key Management Service (KMS) handles cryptographic keys for encrypting data, ensuring strict control and compliance with industry standards.
-
AWS CloudWatch collects and monitors real-time logs, performance metrics, and application data to detect security and operational anomalies.
# AWS Compliance
AWS complies with a wide range of global security and compliance certifications, including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and GDPR. CKEditor Cloud Services benefits from these certifications, inheriting the strong security posture of the AWS cloud.
# Virtual Private Cloud (VPC)
All components of CKEditor Cloud Services are hosted on an AWS VPC, which provides network isolation. Public access is limited to load balancers, and all other components are protected behind strict security controls such as Security Groups, Network Access Control, and VPN access.
# Security Groups
To control the traffic allowed into and out of our instances, we rely on AWS Security Groups. These groups are configured with strict and restrictive firewall rules, ensuring only authorized traffic can interact with our systems. This approach significantly enhances the security of our platform. Network access control lists provide an additional security layer operating on subnets/networking level.
# Web Application Firewall (WAF)
We use AWS WAF to protect our system from common web attacks. This includes things like SQL injection and cross-site scripting (XSS). The WAF constantly updates its protection rules to defend against new threats.
# DDoS Protection
To defend against Distributed Denial of Service (DDoS) attacks, we use AWS Shield Advanced. This managed DDoS protection service protects our web applications at network and application levels. AWS CloudFront and Route 53 also provide additional layers of DDoS mitigation by distributing traffic and reducing the attack surface.
# High Availability and Disaster Recovery
Ensuring high availability and resilience is fundamental to CKEditor Cloud Services.
# Multi-Zone Redundancy
Our services are deployed across multiple AWS availability zones. This means if one location has problems, we can quickly switch to another. This keeps our service running smoothly without interruptions.
# Data Replication
Databases are continuously replicated across multiple availability zones, providing redundancy and fault tolerance. When an availability zone becomes unavailable, the system automatically switches to another.
# Data Backup and Recovery
CKEditor Cloud Services automatically backs customer data with point-in-time recovery capabilities for up to 7 days. Backups are securely encrypted and stored in multiple AWS locations, ensuring the highest levels of redundancy and data protection.
# Disaster Recovery Plan
We have a thorough plan to quickly get our systems back up and running if something goes wrong. We regularly test this plan to make sure it works well. This helps us keep our services available despite a big problem.
# 99.99% Uptime SLA
Our infrastructure is designed to deliver a 99.99% uptime SLA, supported by AWS’s highly reliable services.
# Data Security and Encryption
Data security is at the heart of CKEditor Cloud Services, and we implement strong encryption and access control measures to protect sensitive information.
# Encryption at Rest and in Transit
All data is encrypted using AES-256 at rest, and TLS 1.2+ encryption is enforced for all communications in transit. This ensures that data is securely transmitted and stored without exposure to unauthorized access.
# Data Isolation
We isolate customer data using separate encryption keys for each customer and environment. This ensures that customer data is fully segregated and protected from unauthorized access.
# Key Management
Our encryption keys are managed using AWS Key Management Service (KMS), which ensures that all cryptographic operations meet the highest security standards.
# Access Control and Identity Management
Access control is tightly enforced across CKEditor Cloud Services, ensuring only authorized personnel can access critical systems and data.
# Role-Based Access Control (RBAC)
Permissions are assigned based on roles, ensuring that users have access only to the data and systems necessary for their job functions. Regular access reviews ensure that permissions remain appropriate over time.
# Multi-Factor Authentication (MFA)
We enforce MFA for all privileged access to the CKEditor Cloud Services infrastructure. This additional layer of protection ensures that even if credentials are compromised, unauthorized access is prevented.
# Single Sign-On (SSO)
Internal access to systems is centralized using Google SSO, minimizing password management risks and improving security.
# Access Audits
We perform regular access audits, logging all access attempts and monitoring for any suspicious activity. All changes to access rights are logged and can be audited for compliance and security purposes.
# Application and Code Security
At CKEditor, we follow a secure Software Development Life Cycle (SDLC), ensuring security is embedded in every stage of development.
# Code Reviews
All changes to our code are carefully checked by engineers. This helps catch any potential security problems before they can affect our live system. We do this to make sure our code is safe and works well.
# Automated Code Analysis
We use static code analysis tools to scan code for vulnerabilities and insecure practices automatically. These scans ensure that every line of code adheres to security standards (for example OWASP Top Ten).
# Automated Testing
All code is subject to automated unit testing and integration testing to validate its functionality and security.
# Quality Assurance (QA) Testing
Our QA team conducts manual and automated testing on all updates before being deployed to production. This includes security testing, performance testing, and functional validation to ensure the application’s integrity and security.
# Continuous Integration/Continuous Deployment (CI/CD)
Our CI/CD pipeline ensures that all deployments to production are automated and pass through multiple layers of security checks. Only code that meets strict security and performance criteria is allowed to be deployed.
# Vulnerability Management and Patch Updates
We take a proactive approach to identifying and mitigating vulnerabilities across our systems.
# Continuous Vulnerability Scanning
We use automated tools to scan our infrastructure and applications for known vulnerabilities continuously. These scans reference the latest Common Vulnerabilities and Exposures (CVE) database.
# Penetration Testing
We engage third-party security experts to perform annual penetration testing of our systems, identifying potential vulnerabilities and ensuring our security posture remains robust.
# Timely Patch Management
Our patch management policy ensures that security patches are applied promptly to mitigate potential risks. Critical patches are prioritized for immediate deployment, while non-critical updates are tested before implementation.
# Security Monitoring and Incident Response
We continuously monitor our environment for security and performance, ensuring that any issues are swiftly identified and resolved.
# Real-Time Monitoring
Using AWS CloudWatch, AWS GuardDuty, AWS Security Hub we continuously monitor for security events, performance metrics, and operational anomalies. If suspicious activity is detected, automated alerts are generated for immediate investigation.
# Automated Alerts
Any abnormal activity, such as unauthorized access attempts or unusual traffic patterns, triggers real-time alerts. Our team reviews these alerts to prevent potential incidents.
# Incident Response Plan
CKEditor Cloud Services has a clear plan for handling all security and reliability problems. This plan explains how we find, investigate, and fix issues. After each incident, we do a post-mortem analysis and review to determine why it occurred and improve our system to prevent similar incidents in the future.
# Audit Logs
We maintain detailed audit logs of all actions taken in production environments, ensuring transparency and accountability. Logs are securely stored and available for review during security investigations or audits.
# Observability and Continuous Testing
To ensure high availability and a seamless user experience, CKEditor Cloud Services continuously tests and monitors its applications through real-user simulations.
# Performance Monitoring
We monitor key performance indicators (KPIs) such as network usage, CPU and memory utilization, latency request processing time, and more. All metrics are stored in Prometheus and Grafana. Any deviation from expected performance levels triggers alerts and investigations by our operations team.
# Tests Bots
We employ automated bots that simulate fundamental user interactions with the system regularly (every 10 minutes), continuously testing for performance, reliability, and potential issues. These bots help identify potential bottlenecks or problems before they impact customers.
# SOC 2 Type I Certification
As of August 2024, CKEditor Cloud Services is SOC 2 Type I certified, demonstrating our adherence to the highest security, availability, and confidentiality standards.
# Security Controls
Our SOC 2 certification confirms that we have implemented robust security controls to protect customer data from unauthorized access, ensuring compliance with best industry practices.
# Global Privacy Compliance
We comply with key global privacy regulations, including GDPR, ensuring your data is handled with the utmost care and transparency.
# Vendor and Subprocessor Management
CKEditor Cloud Services partners with trusted vendors to deliver reliable and secure services. We ensure all subprocessors comply with strict security and privacy requirements.
# Amazon Web Services (AWS)
Our primary hosting provider is AWS, compliant with SOC 1, SOC 2, ISO 27001, and GDPR. AWS’s infrastructure provides a secure foundation for CKEditor Cloud Services, ensuring high availability and data security.
# Annual Subprocessor Reviews
We perform annual reviews of all subprocessors to ensure they maintain compliance with industry standards and regulatory requirements, including SOC 2 and GDPR.
# Security Contact
If you have any questions or concerns about CKEditor Cloud Services’ security policies and practices, please get in touch with our team at security@ckeditor.com.