a) Physical security
Our data center’s physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, etc. Everything is being monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders.
Access logs, activity records, and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. As you get closer to the data center floor, security measures also increase.
Similar security measurements are implied for hardware security. All hardware is meticulously tracked, from the location and status of all equipment within data centres, from acquisition to installation to retirement to destruction, via barcodes and asset tags. Metal detectors and video surveillance are implemented to help make sure no equipment leaves the data centre floor without authorisation.
If a component fails to pass a performance test at any point during its lifecycle, it is removed from inventory and retired. When a hard drive is retired, authorised individuals verify that the disk is erased by writing zeros to the drive and performing a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed.
b) Operational security
Operational security is everything we do at Auka besides relying on our physical and technical security. For us, operational security is all about empowering our talented employees to create and provide amazing customer experiences while being able to check and make sure that everything we do is correct, accurate and in adherence with the regulatory requirements our operation is governed by.
We do this by creating and implementing operational procedures and policies that the whole organization follows. We do internal and external audits of our own adherence to the procedures and report to our board of directors, and our regulators.
c) Technical security
As a technology company providing services to customers who trust us with their money, our technical security is crucial to our existence. Technical security breaches may be exploited at scale. This is why Auka invests heavily in this field, ranging from where we strategically choose to run our systems, what security protocols and best practices we follow, to how we implement, test and deploy new features.
For client side security, as a general attitude, the Auka servers do not trust the client – not because the client is untrustworthy, but because the client is exposed to the world where the environment can’t be controlled. This affects design and implementation of both the clients themselves and the APIs communicating with such clients. Secure storage is used for the consumer app and Auka only stores what can be accepted to be retrieved or unlocked from the client later. Auka follow best practices and security guides for the various client side platforms such as Android and iOS.
As for server side security, in the Google Cloud, the main services run in a restricted sandbox that use APIs to communicate with infrastructure services. This largely eliminates the risk of whole classes of attacks or compromise, including the common injection attacks.
All changes to our source code are reviewed by at least two approved engineers and security related changes are reviewed by more people, depending on the risk assessment and classification. Auka makes a point of making security and transaction handling code simple and easy to both review and audit. This also makes our source code more testable and easier to maintain in a secure fashion down the line.
While being a true innovator, Auka aspires to be as ‘boring’ as possible when it comes to security and thus adheres to established standards and best practices. Auka uses extensive automated test suites that test everything from basic functionality to security and authentication machinery, which are run on every change and during the deploy pipeline.
There are frameworks and infrastructure in place to help avoid mistakes and security issues, on everything from input validation to transactional integrity, both at runtime and for making tests fail immediately. In addition, there is an internal training program in place, focusing on secure development practices, with particular focus on areas of importance for the system, either based on previous mistakes, close calls or risk assessments.
When integrating with banks or other partners, Auka sets up integrations depending on the APIs and services provided by such external parties. Auka prefers to use client certificates to authenticate on a per request basis as this is considered the most secure approach. Other alternatives include VPN tunnels.
Sum up version of our security efforts along with certificates Auka holds can be found also here.