Infrastructure Hardening
Production and staging run on Google Cloud Compute Engine instances in multi-zone VPC networks, secured behind an HTTP/2-enabled Load Balancer. All ingress/egress traffic is encrypted with TLS 1.3 certificates provisioned via Let’s Encrypt (Certbot) and auto-renewed. Instances are hardened according to CIS benchmarks and receive automated OS patching.
Data Encryption & Access Controls
We store customer data in a dedicated MongoDB replica set with the WiredTiger encrypted storage engine (AES-256). In-transit data uses TLS 1.3. Access is restricted via GCP IAM roles and service accounts under the principle of least privilege. SSH access requires key-based auth with 90-day rotation.
Identity & Authentication
- MFA Enforcement: Admin consoles protected by multi-factor authentication (TOTP/U2F).
- JWT & Keys: API clients authenticate using JWTs signed with RSA-2048 key pairs.
Monitoring & Incident Response
- Cloud Monitoring & Logging: Aggregates system, audit, and application logs with 90-day retention.
- Sentry: Real-time error tracking and performance alerts.
- Alerting: PagerDuty notifications for P1/P2 incidents with 1-hour acknowledgment SLA.
Email & Payments
- SendGrid: Configured with DKIM, SPF, and DMARC for authenticated email delivery.
- Stripe: Uses Stripe Checkout (PCI DSS Level 1) so no card data is stored on our servers.
Secure Development Lifecycle
- GitHub PRs: Branch protection, mandatory peer reviews, and enforced code coverage.
- CI/CD & Scans: Automated unit/integration tests, ESLint, and Dependabot security updates on every push.
- Dependency Management: NPM audit and GitHub Security Alerts monitored weekly.
Standards & Certifications
We align our controls with ISO 27001:2013 and SOC 2 Type II frameworks. A formal SOC 2 audit is scheduled for Q3 2025.
Full Compliance Documentation
For detailed network diagrams, policy matrices, and audit reports, please email hello@interworky.com. Sensitive implementation details are redacted here for security.