Security

Password management

The platform follows current password policy recommendations from reputable security institutes, including the Centre for Cyber Security (CFCS).

PBKDF2 is used for hashing passwords with a minimum of 10,000 iterations.

Hosting

The platform is hosted by Microsoft Azure, and redundant data centres are used within a region to minimise the risk of data loss. Customers are generally hosted exclusively in the EU. On request, additional hosting is offered in the USA and China. For compliance reasons, China is a separate platform and is completely disconnected from the EU and the USA.

The following regions are used:

• Hosting in the EU (default). Azure West Europe and Sweden Central are used.
• Hosting in the United States. Azure South Central US is used.
• Hosting in China. Azure China North 3 is used.

New hosting regions are added as needed.

Disaster recovery

The platform is built with disaster recovery in mind. The platform is spread across multiple regions. Within each region, Azure Availability Zones are used to support operations in the event of a breakdown in a given zone.

Monitoring

The platform is built around Open Telemetry and uses this to monitor both infrastructure and application code. Data is sent to a central platform that allows for correlation of data across infrastructure and application code.

Backup

The platform has daily backup of data and stores data up to 5 years with the possibility of recovery. All databases are backed up daily and stored according to the following schedule:

• Daily backups are stored for 3 months
• Weekly backups are stored for 12 months
• Monthly backups are stored for 5 years

Blob storage (files) uses Zone redundant storage and is stored according to the following schedule:

• Data replicates across 3 data centres within a region (never replicates out of the region)
• Soft delete is enabled, and data will be stored for 5 years after erasure

Access and authentication

Access to customer data is limited to a small number of employees. All data is sent encrypted via HTTPS, and the platform uses the Zero-trust corporate network principle so that access to Champ’s office network does not give increased rights to the Azure production environment. Champ forces a strong employee password policy and requires Multi-factor Authentication (MFA) where possible, including Azure, Github and Azure DevOps.

Encryption

All data on the platform is encrypted "in-transit" and "at-rest". The platform uses HTTPS for all communication and forces TLS 1.2 as a minimum. All data is encrypted with AES-256 on storage. The platform scores high in general tests for server configuration and TLS setup. Specifically, the platform receives an A+ rating at Qualys SSL Labs. The platform also uses HSTS and Perfect Forward Secrecy.

Vulnerability scans

Champ uses third-party tools to scan the solution during development and before each release.

Among others, CrowdStrike Falcon is used as the Endpoint Detection and Response (EDR) solution on all servers to secure the platform, and CrowdStrike Cloud Security is also used to evaluate infrastructure setup and ensure compliance on container images. Github Dependabot and Trivy are also used to scan vulnerabilities in the application code.

Also, automatic scanning of network infrastructure is performed daily and at each deployment for both test and production environments.

To document the level of security in the platform, a Penetration Test is carried out annually by an independent security company.