Security Policy
Panenco provides managed (software) delivery services to its clients when building digital products. Therefore we need access to the required information to carry out our duties. Every product we build consists of similar building blocks. This document presents a summary of our default operational and security principles.
(Last updated at 07/09/2021)
1. Scope
Digital product development as a service
Panenco offers professional services to its clients and partners in the field of digital product development. The services cover the whole spectrum from initial strategy and ideation, product definition and design, software and data engineering onto go-to-market and beyond. We choose to be a partner for the long haul and assist clients and partners in the best way possible throughout the whole journey.

Ownership and responsibilities
Data owners are employees or subcontractors who have primary responsibility for maintaining information that they own, such as a product owner, product manager, chapter lead or occasionally a product team member.

Users include everyone who has access to information resources, such as employees, trustees, contractors, consultants, trials, temporary employees and volunteers.
2. Roles & responsibilities
Our whole organisation is built up around agile principles. We have a limited set of distinct roles, but a variety of specialty domains. All roles are oriented towards maximum product value delivery.

Product owner: represents in-depth knowledge of an industry and can map that into a product strategy and roadmap. The role of product owner will typically be positioned on the side of our clients/partners.

Product manager: the day to day management of a development squad is led by a product manager. He or she executes on the defined product roadmap and assigns the day-to-day responsibilities. In order to be able to complete their job successfully, product managers need extensive access to tooling (to grant the correct access rights to the correct teammates) and sometimes databases (for customer success or other purposes).

Chapter lead: domain expert who carries the responsibility over a specific specialty field in which he/she builds up knowledge and passes this knowledge along to fellow teammates. A chapter lead will traditionally have access to source code repositories for quality and review purposes. Our current chapters:

  • Product strategy
  • Product design
  • Software engineering
  • Data engineering
  • Growth
  • Operations

Product team: a dedicated team within Panenco that will work on specific product objectives. The team will consist of members from the various chapters within Panenco according to the delivery needs. Members of a product team will be limited in their access only to fulfil their specific duties.
3. Infrastructure
Hosting
We host all front-end applications and APIs on well-known public cloud platforms such as Google Cloud Platform, Amazon Web Services, Microsoft Azure, Digital Ocean or Heroku. In this manner, all the products we build are subject to the policies and certifications that are foreseen by these providers. The chosen infrastructure makes it possible to fully control and manage access rights in the corresponding interfaces. Access management is under control of the product manager.

Environments
We work with separate development, staging and production environments. The development environment serves as the initial feature release station. The staging environment is a combination of multiple feature branches and is used for the pre-production checks. Both the development and staging environments will never contain any production data. The production environment is the actual live application which serves the end users.

Database
Every product consists of at least one database. The database(s) store(s) all application data, including personal information and salted hash of passwords. The database is hosted separately within the chosen infrastructure. For the overall database security, we rely integrally on the protocols, guidelines and best practices that are provided by the infrastructure providers that we use to host our products under management. Access to the database shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.

Backups
We have (at least) daily automatic database backups in place through the service offerings from the infrastructure providers. This limits the data loss in case there would ever be an outage.

API security
All communication between the application database and the frontend application happens via JWT Authorised REST API calls. Strict checks (e.g. rate limiting) are in place to protect the data layer from threats, which we identify using the STRIDE model. Every call to either read or write application data is subject to fine-grained authorization requirements. The contracts of these API endpoints are exposed for software development purposes through OpenAPI specifications.

Transport layer security: our browser based applications are secured with a mandatory SSL certificate, protecting communication between the client and the data layer.
4. Technical operations
Source code management: we use Github for the management of all source code. Through different branches, we can separate multiple development environments and follow a standard flow: new features are released to the development environment, those get tested and pushed to the staging environment. We assure the quality by thorough tests of the entire staging environment before deploying the update to production. This ensures a stable production environment at all times. Only the necessary people inside the organisation have access to Github Secrets, where we store credentials for the database and other parts of the application.

Automated tests: we aim for a maximum test coverage in all applications in order to make the release quality as high as possible. On the back-end side, we work with 2 types of tests: unit tests which test smaller chunks of the application separately and integration tests which test an API endpoint fully from start to finish. We also write end-to-end tests (front-end driven) with Cypress and they are automatically built into our deployment pipeline. Releasing will only be done once both types of tests are passed.

Deployment rights and authorization: we have a strict hierarchy in place for code merging (in Github). We work with 2 key branches: 'main' and 'staging', accompanied by multiple feature branches. We have specific feature branches for specific functionalities that are developed. There's an autodeploy in place when functionalities are merged to these key branches. When the code is merged, we'll have automated tests running. Only specific people with the necessary experience are granted the right to review feature branches and merge those into staging or merge the staging version into production. This assures code quality and also limits the access rights to the environments that matter most and that contain personal data.
5. Tooling
We rely on various tools to fulfil our duties. Below we give an overview of the most commonly used tools per chapter:

General:
  • Communication: Slack, Gmail
  • Task management: Trello, Gitlab issues, JIRA, and others
  • Documentation: Github, Google Docs

Product design:
  • Product design: Figma (or alternatives)
  • Marketing design: Adobe Creative Cloud suite, Wix

Web engineering
:
  • IDE: Visual Studio Code, PHPStorm and others
  • DBMS
  • Transactional email traffic: Sengrid, ActiveCampaign, Mailgun

Data engineering
:
  • Business Intelligence: PowerBI, Google Data Studio, Tableau
  • Data science: R Studio and others

Growth
:
  • Marketing: specific tooling for social media campaigns and performance monitoring
  • Analytics: Google Analytics, Google Tag Manager, Google Data Studio
  • Billing & payments: Stripe and Stripe Billing
  • Customer success: Intercom, ActiveCampaign
  • Sales: Hubspot CRM
6. Operational security
Individual responsibilities for all employees or contractors at Panenco:
  • All employees and contractors must lock their screens whenever they leave their desks to reduce the risk of unauthorised access
  • All employees and contractors must keep their workplace clear of any sensitive or confidential information when they leave
  • All employees and contractors must keep their passwords confidential and not share them
Application and Information Access
  • All employees and contractors shall be granted access to the data and applications required for their job roles
  • All employees and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from management
7. Enforcement
Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their contract terminated.

Panenco bv preserves the right to make changes to this Security Policy, and will reflect the data of the last changes at the top of the document.
8. Related documents
Amendments

In order to take action on the basis of your feedback or to clarify changes made in our default Security Policy, this policy may be amended from time to time. The top of the page will always indicate the date of the last change.

ISO27001 certification

We will be applying for ISO27001 certification in the second half of 2021.

Questions?

In case of questions, please don't hesitate to reach out to info@panenco.com. Great partnerships or supplier relationships need to be backed by a security setup.