Version: May, 2018
Mynewsdesk AB, headquarters in Stockholm, is a modern saas company using third-party cloud-providers, open-source software and modern agile product development processes to be able to provide a competitive product in a fast moving landscape.
Mynewsdesk security measurements are complaint with applicable law and are following industry security standards for cloud services.
Mynewsdesk are owned by the company NHST who is governing all companies in the group with an information security policy.
Technical and organisational measures
Mynewsdesk is hosted by Hetzner, Redpill Linpro, and AWS, who constantly monitor for security threats and act accordingly.
Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Hetzner and Redpill Linpro are certified in accordance with ISO 27001.
Servers for AWS, Hetzner and Redpill Linpro are located within EU.
Mynewsdesk services have a goal of being available 99.99% on a yearly basis. Our hosting partners are enabling high availability by providing automatic fail-over and avoiding single point of failures. Health status for Mynewsdesk services can be found on status.mynewsdesk.com.
Mynewsdesk is written in the web framework Ruby on Rails and has been tried by the open source community in terms of security. Mynewsdesk Technologies are built in Java and Python. Applications are running in security patched linux environments. Internal backend services are communicating on authenticated and encrypted channels, using industry standard encryption methods and leveraging Extended Validation(EV) supported certificate handling.
Employees and consultants at Mynewsdesk may be granted access to production data by granularity levels. Two-factor authentication is enabled when applicable. Changes to customer’s content through the services are logged.
Mynewsdesk are performing backup of customer data. Backups of customer data are kept for 30 days for system recovery. Application logs are stored in separate systems and are retained for a longer time for information security consistency.
Mynewsdesk makes use of automated third party services to analyze code changes for security vulnerabilities. The applications are also being pen-tested by external parties that reports vulnerabilities with cvss-scoring. Libraries are being automatic scanned for security upgrades by third-party services.
Privacy By Design
Mynewsdesk is proactively working with security and how we handle personal data in our development process as set out by the Privacy by Design methodology. Our process follows check-lists for processing of personal data including using encryption or pseudonymization to prevent data breaches.
Mynewsdesk uses automatic code-tests to ensure that new changes doesn’t break existing functionality. All code is also being reviewed by another person before merged into the master code tree. On top of that we have a manual Q&A process for testing new functionality before it’s being released to production.
Code updates to production environment is done on a daily basis. Each release to production carries information with traceability.
Security & Privacy Governance
Mynewsdesk have assigned Data Privacy Officers within the company that are governing technical and organisational measures on how we are processing personal data according to applicable law. Mynewsdesk have designated people that are working together with NHST to ensure compliance with NHST information security policy.
Employees, contractors, sub-processors
All devices of Mynewsdesk employees are individually password-protected and encrypted as defined in an internal IT-policy. Employees devices can be remotely wiped by our IT-department in the event of theft or similar.
Mynewsdesk has established a routine for managing personal data breaches with an escalation program to ensure that we can notify affected parties as soon as possible and that we can report about an incident within 72 hours to the data authority in Sweden (Datainspektionen).