Security Measures and Data Protection

About ChainSec

ChainSec is a Swedish service that helps companies across Europe improve their cybersecurity through digital tools for supply chain security. The service is operated by Fiive AB (Org. no. 559457-1563) with offices in Gothenburg, Sweden.

Technical Platform

Our application is built on modern, well-established technologies:

• •Frontend: React with TypeScript
• •Backend: Node.js with Express and TypeScript
• •Database: MongoDB Atlas with professional management and automatic backups
• •Cloud Infrastructure: Amazon Web Services (AWS) with data center in Stockholm
• •File Storage: AWS S3 with encrypted storage

Authentication and Access Control

Multi-Factor Authentication (MFA)

We recommend that all user accounts are protected with two-factor authentication via time-based one-time passwords (TOTP) using common authentication apps.

Session Management

• •Secure, encrypted sessions with automatic logout during inactivity
• •HttpOnly and Secure cookies in production
• •CSRF protection (Cross-Site Request Forgery) via a secure cookie and application-specific header that verify requests originate from our application.
• •Automatic account lockout after repeated failed login attempts

Password Security

• •Industry-leading encryption (bcrypt) for secure password storage
• •Secure access tokens generated with strong cryptographic entropy
• •Secure password reset with time-limited links

Data Security

Encryption

• •Data in transit: TLS 1.2+ (HTTPS) for all communication between client and server
• •Data at rest: MongoDB Atlas encryption and AWS S3 AES-256 server-side encryption
• •Database communication: TLS-encrypted connection in production
• •Cookies: Encrypted session cookies with HttpOnly and Secure flags

Database and Storage

• •MongoDB Atlas with professional management and automatic backups
• •AWS S3 for encrypted file storage with AES-256 encryption
• •Geographic data storage location: Sweden (Stockholm region)

Input Validation and Sanitization

• •Automatic protection against NoSQL injections
• •Protection against XSS (Cross-Site Scripting) through input sanitization
• •Strict validation of file uploads with restrictions on MIME type and size
• •Timing-safe comparisons for tokens to prevent timing attacks

Network Security

Web Application Firewall (WAF)

AWS Web Application Firewall (WAF) protects our application against common web exploits and attacks. The WAF filters and monitors HTTP/HTTPS traffic according to configured security rules, including protection against OWASP Top 10 vulnerabilities and DDoS attacks.

Rate Limiting

To protect against overload attacks and automated threats, we use comprehensive rate limiting for API calls, login attempts, password resets, and bulk operations. These limits are dynamically adjusted based on security threats and usage patterns.

HTTP Security Headers

The application is protected with modern HTTP security headers:

• •Content-Security-Policy: Restricts which resources can be loaded
• •Strict-Transport-Security (HSTS): Forces HTTPS connections
• •X-Frame-Options: Protects against clickjacking attacks
• •X-Content-Type-Options: Prevents MIME type sniffing
• •Referrer-Policy: Controls information leakage
• •Permissions-Policy: Restricts access to sensitive browser features

Cross-Origin Resource Sharing (CORS)

Strictly configured resource sharing policy that only allows requests from approved origins.

Monitoring and Logging

Security Logging

• •Detailed logging of all authentication attempts
• •Audit trails for security events
• •Automatic alerts for suspicious activities
• •Secure and redundant log storage in the cloud

Error Tracking and Incident Management

Advanced error tracking and incident management in production, enabling rapid identification and response to security incidents.

Cloud Security (AWS)

Our infrastructure runs on Amazon Web Services with:

• •IAM-based access control (Identity and Access Management)
• •Encrypted file storage in S3 with AES-256
• •Network isolation between services
• •Regular security updates
• •Data center in Sweden (Stockholm region)

Regular Security Audits

We perform continuous security monitoring and regular:

• •Vulnerability analysis of application code
• •Continuous updates of dependencies and libraries
• •Security analysis of infrastructure
• •Independent security assessments

Development Security

• •Automated security testing in development pipeline
• •Code review with security rules
• •Automatic scanning of dependencies for known vulnerabilities
• •Secure development practices and code reviews

Contact Us

For questions about security or data protection:

• •Email: info@chainsec.se
• •Website: www.chainsec.se