Last Updated: November 16, 2017

Security Policy

Bibliopolis makes it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is handled securely. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

User Security

Authentication: User accounts have unique usernames and passwords that must be entered each time a user logs on. Bibliopolis issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.

Passwords: Passwords are individually salted and hashed.

Data Encryption: Certain sensitive user data, such as credit card details and account passwords, are stored in encrypted format.

Data Portability: Bibliopolis enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.

Privacy: We have a comprehensive Privacy Policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.

Physical Security

We’ve created multiple layers of redundancy, at every level — including physical security, power, cooling and networks. These redundancies help make our systems more resilient, so you can enjoy higher uptime and greater reliability. Bibliopolis servers are in data centers restricted by biometric authentication, keycards, and 24x7x365 surveillance. These help ensure that only authorized engineers have access to routers, switches and servers.

Data Residency: All Bibliopolis user data is stored on servers located in the United States.

Power: Our power systems deliver conditioned power while protecting against sags, surges, swells, spikes and electrical noise. Uninterruptible power supplies (UPS) provide instant failover for continuity during a power outage. And our on-site, always-fueled diesel generators are prepared to pick up the load quickly during extended outages.

Cooling: Our N+2 redundant chiller configuration uses a combination of centrifugal chillers, cooling towers, chilled water loop pumps and condenser water loop pumps — with redundant water sources.

HVAC: Our precision Heating, Ventilation and Air Conditioning (HVAC) environment includes HEPA-equipped air handling units that remove dust and contaminants. In the event of an HVAC system failure, we have redundant HVAC systems for immediate failover.

Network: Our robust network includes nine backbone providers, allowing us to shift traffic as needed. This configuration, co-developed with Cisco, guards against single points of failure at the shared network level (extendable to your VLAN environment).

Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.

Backup Frequency: Backups occur daily at multiple geographically disparate sites.

Network Security

Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

Firewalls: Firewalls restrict access to all ports except 80 (http) and 443 (https).

Access Control: Secure VPN, 2FA (two-factor authentication), and role-based access is enforced for systems management by authorized engineering staff.

Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Encryption in Transit: All communications with our systems are sent over TLS, SSL or PGP connections, which protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients. Our web application endpoints are TLS only and score an “A” rating on SSL Labs‘ tests. We also employ Forward Secrecy and only support strong ciphers for added privacy and security.

Vulnerability Management

Patching: Latest security patches are applied to all operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities.

Third Party Scans: Our environments are continuously scanned using best of breed security tools. These tools are configured to perform application and network vulnerability assessments, which test for patch status and basic misconfigurations of systems and sites.

Penetration Testing: External organizations perform penetration tests at least annually.

Audit Logging: We maintain and monitor audit logs on our services and systems.

Software Development Practices

Stack: We code in PHP and run on MySQL Server, Linux, and Apache.

Coding Practices: Our engineers use best practices and industry-standard secure coding guidelines which align with the OWASP Top 10.

Deployment: We deploy code dozens of times during the week, giving us the ability to react quickly in the event a bug or vulnerability is discovered within our code.

Handling of Security Breaches

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if Bibliopolis learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.

Your Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any Bibliopolis data you download to your own computer away from prying eyes.