Security

General

Data on employee training, skills and instructions is often business-critical knowledge, and security in the platform is therefore a high priority. The platform has been developed according to ISO 27001 and follows current GDPR legislation. Furthermore, the security level is documented through Vulnerability scans, code reviews, code analysis and a Penetration Test, which is carried out by an impartial security company.

"
It's among the best secured of solutions I've seen.
- Frederik Raabye | Security Consultant & Systems Developer | Dubex

Product security

Password

The platform enforces password complexity and uses PBKDF2 for password hashing.

Uptime

The platform has a historical uptime of >99.5%

Security best practices

Champ encourages customers to follow common security best practices, such as using long passwords, managing privilege levels on the platform, etc.

Network and application security

Hosting

The platform is hosted in Microsoft Azure. Champ offers data residency in EU and China.

Disaster recovery

The platform is built with disaster recovery in mind. The platform is spread over 3 Azure availability zones and will therefore continue normal operation in the event of a breakdown of one of these zones.

Monitoring

The platform uses Microsoft Application Insights for logging/auditing of activities, response times, error rate and data access.

Backup

The platform has a daily backup of data and stores data for 5 years, with the possibility of recovery.

All virtual machines and databases are backed up daily and saved according to the following:

  • Daily backups are saved for 3 months
  • Weekly backups are saved for 12 months
  • Monthly backups are saved for 5 years

Blob (media) storage uses Zone redundant storage and is saved according to the following:

  • Data is replicated across 3 data centers within Western Europe
  • Soft delete is activated and data will be stored for 5 years after deletion

Access and authentication

Access to customer data is limited to a small number of Champ employees. All data is sent encrypted via HTTPS and the platform uses the "Zero-trust corporate network" principle, so that access to Champ's network does not give increased rights to the production environment in Azure. Champ enforces a strong password policy for employees and requires Multi-factor authentication (MFA) where possible, e.g. on Azure, Github and Azure DevOps.

Encryption

All data on the platform is encrypted in-transit and at-rest. The platform uses HTTPS for all communication and enforces minimum TLS 1.2. All data is encrypted with AES-256 when stored. The platform scores highly in general tests for server configuration and TLS setup. Specifically, the platform gets an A+ rating by Qualy's SSL Labs The platform also uses HSTS and Perfect Forward Secrecy.

Penetration tests and vulnerability scans

Champ uses third-party tools for solution scanning during development and before each release. Champ also has an annual penetration test performed.

Penetration test

In order to document the level of security in the platform, a minimum annual Penetration Test is carried out by an impartial security company. The latest penetration test was carried out by Dubex in April 2022 with the following conclusion:

"
Based on the few issues found and general observations the host and applications in scope was found to follow current best practices for secure development of webbased applications. The underlying infrastructure was found to follow current best practices for secure web application server configuration. The application was found to have an overall risk score of LOW based on the OWASP Risk Rating Methodology.
- Conclusion from Penetration Test performed by Dubex | April 2022