Skip to content

Product Security#

Access Security#

We doesn't store any user's credentials. User authentication is delegated into your own identity provider. You can deactivate any user to block the access to the meritboost application.

Role-Based Access Control#

meritboost uses role-based access control. Customers may organize users into role groups and manage access details for each role.

Code Analysis#

The meritboost code is periodically scaned by code analysis tools to identify security and other problems. (TODO)

Credential Management#

We manage all secrets in secure tools and rotate keys on a regular basis. (TODO)

SBOM#

Our list of dependencies, including direct and indirect Open Source third party dependencies, that are part of its cloud product ... (TODO)

Software Development Lifecycle#

We use CI/CD pipelines to manage the Software Development Lifecycle. We employ branch protection for the branches that are used to build production builds of our software. Each release gets a version number based on semantic release versioning.

Every pull request that goes into these branches can only be merged after passing all automated tests and after peer review. (TODO)

Vulnerability and Patch Management#

We have set up an automated dependency management process to manage upstream dependencies of our products. The engineering team is automatically being privately notified when security issues are found.

Depending on the criticality fixes are deployed in the regular release cycle, or shipped as hot-fix, published as security advisory on Github and clients are informed. (TODO)

Firewall Protection#

We use firewalls for defense of our services against denial of service and web attacks. (TODO)

Data Access#

Employees will only be granted permissions based on the principle of least privilege. Permissions are being reviewed on regular basis, at once per year, to identify any excessive or outdated permissions.

Logging#

We collect detailed access logs on services and company resources. These logs are being monitored automatically and manually on regular basis.