We're obsessed with keeping your data safe. We've taken the industry standard in cloud security, matched it, and then exceeded it.
We've gone to huge lengths to ensure that your club's data is completely secure. Our system's security is regularly audited by Espion, an internationally accredited 3rd party security auditor. We've also ensured that Profiler complies with the OWASP Top Ten.
Communication is secured over the wire using SSL technology, and all data is fully redundant and backed up offsite on a daily basis. These backups are made using an exponential backoff policy and are stored according to Irish and EU Data Protection laws.
Access to medical information and other sensitive data is carefully controlled using Profiler's powerful permissions system, so only users who should be able to view and manage sensitive data can do so.
Each server is fully redundant, ensuring that even if a server goes down, the system stays up and running. And in the higly unlikely event that a system wide outage should occur, we have a comprehensive disaster recovery plan to ensure that the Profiler system can come back online as quickly as possible with little or no loss of data.
Profiler's key security features include:
- 256-bit SSL encryption
- IP whitelisting
- User permissions
- Brute force prevention
- DDOS detection
- CSRF protection
- Strong password policy
- Audit trails and activity logging
For further details on our security policies and system architecture, please continue reading or contact our support team with a query.
OWASP Top Ten
The Open Web Application Security Project (OWASP) is a worldwide organisation focused on improving the security of software. Its mission is to make software security visible, so that individuals and organisations worldwide can make informed decisions about true software security risks.
Profiler has been certified by Espion Group as OWASP compliant using OWASP's latest Top Ten. This certification demonstrates just how seriously we take security. We are the only athlete management system available to have gone to such lengths to protect our customer's data. Compliance with the OWASP Top Ten means that we at Kitman Labs and the Profiler system has been tested against:
- SQL Injection
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Unvalidated Redirects and Forwards
Our external security auditors (Espion Group) are one of the largest data processors in Europe. They are certified to ISO 27001 and 9000. Espion are multiple winners of the Deloitte Fast 50, they have offices in Ireland, Scotland, England and Belgium and they work with organisations across all industry sectors and business functions to identify, comply, secure and manage their most critical asset – Information.
At Kitman Labs, we're proud to work alongside Espion as we constantly reassess and upgrade our security practices and protocols in accordance with industry standards. With the assistance of Espion, the Profiler system undergoes regular penetration and vulnerability tests to ensure that the system meets the strict security criteria outlined in the OWASP Top Ten.
Kitman Labs uses 256-bit SSL certificates provided by GeoTrust Inc.
Communication on the Internet is susceptible to eavesdropping and malicious tampering. To prevent this, the Profiler system uses HTTPS. This is a protocol for securing communication across the Internet and it can protect the confidentiality of sensitive, confidential or personal information such as an athlete's medical data by encrypting all traffic between the user's browser and the Kitman Labs servers.
Web apps that do not have HTTPS configured are susceptible to the following type of attacks:
This technique involves an attacker placing themselves between the user and the web app, serving malicious content on behalf of the web app. At Kitman Labs we defend against such an attack by combining authentication of the client with the use of strong encryption between the client and server using HTTPS.
Sniffing & Eavesdropping
This technique involves an attacker intercepting or logging network traffic to capture personal user information such as passwords, usernames etc. By using a secure HTTPS connection, these eavesdropping techniques will not reveal personal information as the information is encrypted by the Kitman Labs SSL cert across the secure connection.
With highly configurable granular access controls, Profiler can work seamlessly for people with all types of roles throughout your organisation – from the head coach, assistant coaches, medical staff, athletic trainers, physios, S&C staff, video analysts and more.
Each section of the system can be restricted based on a set of user permissions so only authorised staff members can access sensitive information.
All data is stored in Amazon's AWS RDS service within their Irish data center. This facility complies with EU Safe Harbour laws and allows Kitman Labs to store sensitive medical information from international sports organisations, including those in the USA.
Each day a full database backup is made and stored offsite in a second data centre. These backups can be used in the highly unlikely event of a catastrophic loss of data within the production environment. With daily backups, no more than 24 hours of data could ever theoretically be lost, but even then, with redundancy built into the storage system itself, any data loss at all is very unlikely.
Backed up data is held on our backup servers in accordance with EU Safe Harbour, Irish and EU data protection and privacy laws.
Profiler is a fully redundant system, and opertes dual active-active sites. In the event of a data centre going down completely the second data centre will immediately begin to service all system requests, with no interruption in service to the customer.
Redundancy is built into the app servers, content servers, load balancers, risk analysers, system databases, and logging facilities.