Legalito Security
We understand that security concerns are critical, especially when dealing with the sensitive nature of data related to property transactions. That’s why we use Amazon Web Services ( AWS ) to host all the data and documents in our software as it offers a level of scalability, security and resilience required.
In addition to the security offered at the server level, we have invested a lot of time building additional security levels into our software as well.
Although we have designed the system to be secure, we are aware that threats are constantly changing, so we regularly review both our application and server to make sure we’re always providing the security required.
AWS Server Security
- AWS was chosen from a number of options due to its resilience and proven history for security.
- We use EC2 to support our operations, manage our application code and databases.
- Database access is strictly restricted to the application layer, giving an increased level of security.
- Full AWS security measures are rigorously implemented across all aspects of each server.
- Database backups are taken every 12 hours and stored in a private S3 bucket.
- All documents are also stored in a private S3 bucket.
Application Security
- HTTPS is used exclusively across the entire application for secure communication.
- AES-256 encryption is used to ensure the security of data, including encrypted cookies and session values.
- Authorization checks using policies and gates to ensure users have appropriate permissions and custom middleware is also used for specific security requirements.
- User passwords are stored as hashed values.
- Protection against dictionary attacks is provided by the use of the use of throttle and Rate Limiter middleware.
- Robust measures are taken to prevent SQL injection vulnerabilities, including input validation, sanitization, query binding, parameter binding, and escaping user inputs to prevent the embedding of user data into SQL statements.
- Measures are implemented to mitigate the risk of Cross-Site Scripting (XSS) & CRSF attacks using the Form Classes Token method to create a unique token for each form. This ensures the request must originate from the application itself and ensures forged requests are not mistakenly accepted.
- All files uploaded to the system undergo thorough scanning using antivirus software and are stored in an S3 private bucket.
- Database security is managed carefully, with regular security upgrades, enhanced password encryption, RBAC, and strict password policies. TLS encryption, controlled data masking protection, combined with a firewall and InnoDB encrypted tablespaces.
- Finally, we have implemented application logging to track activities, errors, and security-related events. These logs are monitored for suspicious activities and potential security breaches.