Overview

Keeping our customers' data secure at all times is our highest priority. This security overview provides a high-level overview of the security practices implemented to achieve this goal.
Have questions or comments? Please feel free to contact us at [email protected]

Dedicated Security Team

Our security team is made up of security experts dedicated to improving the security of our organization. Our employees are trained in security incident response and are available 24/7.

The Infrastructure

Cloud Infrastructure

All of our services run in the cloud. We do not host or run our own routers, load balancers, DNS servers or physical servers.
Our service is based on Oracle Cloud. They provide strong security measures to protect our infrastructure and comply with most certifications. You can read more about their practices here:
- Oracle cloud

Data Center Security

Our data center is located in Brazil. It is a Tier IV, PCI DSS, and ISO 27001 compliant installation.
Our servers are physically separate from other data center customers.
Data center facilities are secured 24/7 with different security measures (guards, CCTV, electronic access control, etc.). Monitoring and alerting is in place for security, power, HVAC and temperature violations.

Network Level Security Monitoring and Protection

Our network security architecture consists of multiple security zones. We monitor and secure our network to ensure that no unauthorized access is carried out using:
– A virtual private cloud (VPC), bastion host, or VPN with network access control lists (ACLs) and no public IP addresses.
– A firewall that monitors and controls inbound and outbound network traffic.
– IP address filtering

DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Data Encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit using industry best practices using Transport Layer Security (TLS). You can see our report SSLLabs.
Encryption at rest: All of our user data (including passwords) is encrypted using database proven encryption algorithms.

Data Retention and Removal

We retain your usage data for a period of 90 days. All data is completely removed from the dashboard and server.
Each user can request removal of usage data by contacting support.
Read more about our privacy settings at AgênciaColors Privacy Policy.

Business Continuity and Disaster Recovery

We back up all of our critical assets and try to restore the backup regularly to ensure a quick disaster recovery. All of our backups are encrypted.

Application Security Monitoring

– We use a security monitoring solution to gain visibility into our application security, identify attacks, and quickly respond to a data breach.
– We use technologies to monitor exceptions, logs and detect anomalies in our applications.
– We collect and store logs to provide an audit trail of activity for our applications.
– We use monitoring as open tracking in our microservices.

Application Security Protection

– We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real time.
– We use security headers to protect our users from attacks. You can check our note on this security scanner.
– We use security automation, features that automatically detect and respond to threats targeting our applications.

Secure Development

We develop following best practices and security frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:
– Developers attend regular security training to learn about common vulnerabilities and threats
– We review our code for security vulnerabilities
– We regularly update our dependencies and ensure none of them have known vulnerabilities
– We use static application security testing (SAST) to detect basic security vulnerabilities in our codebase
– We use dynamic application security testing (DAST) to verify our applications
– We rely on third-party security experts annually to perform penetration tests of our applications.

Responsible Disclosure

We encourage anyone who practices responsible disclosure and abides by our policies and terms of service to participate in our bug bounty program.
Avoid automated tests and only run security tests with your own data. Please do not release any information about the vulnerabilities until we fix them. Bounties are made at our discretion depending on the criticality of the reported vulnerability.

You can report vulnerabilities by contacting [email protected]. Include a proof of concept. We will respond as quickly as possible to your submission and will not take legal action if you follow the rules.

Icing
– agenciacolors.digital/*

Exclusions
– *.agenciacolors.digital
– *.agenciacolors.tech

The accepted vulnerabilities are as follows:
– Cross-Site Scripting (XSS)
– open redirect
– Cross-Site Request Forgery (CSRF)
– Inclusion of command/file/URL
– Authentication issues
– Code execution
– Code or database injections

This bug bounty program NO includes:
– Exit CSRF
– Account/Email Enumerations
– Denial of Service (DoS)
– Attacks that could harm the reliability/integrity of our business
– Spam attacks
– Clickjacking on pages without authentication and/or sensitive state changes
– Mixed content warnings
– Lack of DNSSEC
– Content spoofing / text injection
– Timing attacks
- Social engineering
– Phishing
– Insecure cookies for non-sensitive cookies or third-party cookies
– Vulnerabilities that require extremely unlikely user interaction
– Exploits that require physical access to a user's machine

User Protection

2-factor authentication: We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Configuring this extra security measure is optional, but highly recommended to increase the security of sensitive data.

Account takeover protection: We protect our users against data breaches by monitoring and blocking brute force attacks.

single sign-on: Single sign-on (SSO) is offered for our enterprise customers.

Role-based access control: Role Based Access Control (RBAC) is offered on all of our accounts and allows our users to define roles and permissions.

Compliance

GDPR/LGPD

We are GDPR/LGPD compliant. The purpose of the GDPR/LGPD is to protect the private information of citizens of the European Union and Brazil and to give them more control over their personal data. Please contact us for more details on how we comply with the GDPR/LGPD.

Payment Information

All payment instrument processing is securely outsourced to Stripe and GerenciaNet who are certified as a Level 1 PCI Service Provider. We do not collect any payment information and therefore are not subject to PCI obligations.

Employee Access

– Our strict internal procedure prevents any employee or administrator from having access to user data. Limited exceptions can be made for customer support.
– All our employees sign a Non-Disclosure and Confidentiality Agreement by joining the company to protect our customers' confidential information.

We value your privacy

We and our partners store or access device information, such as cookies, and process personal data, such as unique identifiers and standard information sent by devices, for the purposes described below. You may click to consent to processing by us and our partners for such purposes. Alternatively, you can click to refuse consent, or access more detailed information and change your preferences before giving consent. Your preferences will only apply to this website.

Cookies strictly required

These cookies are necessary for the website to function and cannot be turned off on our systems. Typically, they are only set in response to actions you take that correspond to a service request, such as setting your privacy preferences, logging in or filling out forms. You can set your browser to block or alert you about these cookies, but some parts of the website will not work. These cookies do not store any personally identifiable information.

performance cookies

These cookies allow us to count visits and traffic sources so that we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and to see how visitors move around the website. All information collected by these cookies is aggregated and therefore anonymous. If you do not allow these cookies, we will not know when you have visited our website.

Functionality cookies

These cookies allow the website to provide enhanced functionality and personalization. They may be established by us or by external providers whose services we have added to our pages. If you do not allow these cookies, some of these features, or even all of them, may not work correctly.

Advertising Cookies

These cookies may be set through our website by our advertising partners. They may be used by these companies to build a profile of your interests and show you relevant advertisements on other websites. They do not directly store personal information, but are based on the unique identification of your browser and internet device. If you do not allow these cookies, you will get less targeted advertising.

Data and Cookie Policy Notice: To improve your experience on our website, we use cookies to optimize navigation. By continuing on the site, you are agreeing to the use of these cookies, as per our Privacy policy.