Compliance & Security

Infrastructure Hardening

Production and staging run on Google Cloud Compute Engine instances in multi-zone VPC networks, secured behind an HTTP/2-enabled Load Balancer. All ingress/egress traffic is encrypted with TLS 1.3 certificates provisioned via Let’s Encrypt (Certbot) and auto-renewed. Instances are hardened according to CIS benchmarks and receive automated OS patching.

Data Encryption & Access Controls

We store customer data in a dedicated MongoDB replica set with the WiredTiger encrypted storage engine (AES-256). In-transit data uses TLS 1.3. Access is restricted via GCP IAM roles and service accounts under the principle of least privilege. SSH access requires key-based auth with 90-day rotation.

Identity & Authentication

  • MFA Enforcement: Admin consoles protected by multi-factor authentication (TOTP/U2F).
  • JWT & Keys: API clients authenticate using JWTs signed with RSA-2048 key pairs.

Monitoring & Incident Response

  • Cloud Monitoring & Logging: Aggregates system, audit, and application logs with 90-day retention.
  • Sentry: Real-time error tracking and performance alerts.
  • Alerting: PagerDuty notifications for P1/P2 incidents with 1-hour acknowledgment SLA.

Email & Payments

  • SendGrid: Configured with DKIM, SPF, and DMARC for authenticated email delivery.
  • Stripe: Uses Stripe Checkout (PCI DSS Level 1) so no card data is stored on our servers.

Secure Development Lifecycle

  • GitHub PRs: Branch protection, mandatory peer reviews, and enforced code coverage.
  • CI/CD & Scans: Automated unit/integration tests, ESLint, and Dependabot security updates on every push.
  • Dependency Management: NPM audit and GitHub Security Alerts monitored weekly.

Standards & Certifications

We align our controls with ISO 27001:2013 and SOC 2 Type II frameworks. A formal SOC 2 audit is scheduled for Q3 2025.

Full Compliance Documentation

For detailed network diagrams, policy matrices, and audit reports, please email hello@interworky.com. Sensitive implementation details are redacted here for security.