Guides

Security Overview

Suggest Edits

At Freeplay, security is a top priority. We've implemented robust measures to protect your data and ensure the safety of our platform.

Key Management

Freeplay uses advanced cryptographic key management processes to secure sensitive customer data and generate API keys for its private API. Our key management approach includes:

Cryptographic Encryption Keys

  1. Key Generation and Distribution: We use Google Cloud Key Management for generating symmetric encryption keys. These keys are created using the "Google symmetric key" encryption algorithm. Each key is unique to the Freeplay customer and is local to the region where the customer's Google Cloud Run application is deployed.

  2. Key Storage: Our encryption keys are stored and managed according to the FIPS 140-2 Level 1 standard. We use Google Cloud Key Management to store keys securely, ensuring they are encrypted both at rest and in transit. Access to these keys is restricted to the Cloud Run service account running the Freeplay application, adhering to the principle of least privilege.

  3. Key Rotation: To enhance security and mitigate the risk of key compromise, we rotate encryption keys every 90 days. This process is automated and managed through Google Cloud Key Management, ensuring seamless updates without service interruption.

  4. Accountability and Audit: All encryption and decryption actions are logged using Google Cloud Audit logging. These logs provide an audit trail and are only accessed in case of an incident or investigation, ensuring traceability and accountability for all key management actions.

Freeplay API Keys

For access to the Freeplay API, we generate and validate API keys using the following process:

  1. Generation: API keys are created using a cryptographically secure randomly generated string.

  2. Display and Storage: The full API key is displayed to the requesting customer only immediately after generation. After this initial display, we use the Argon2 algorithm to create a one-way hash of the key before storage. For user convenience, we persist only the last 4 characters of the original key.

  3. Validation: When incoming API requests occur, customer API keys are hashed and validated against the stored hash to allow or deny access.

  4. Management: Customers can revoke or rotate their API keys at any time using the Freeplay web application.

Access Control

At Freeplay, we implement strict access control measures to ensure the security and integrity of our systems and your data:

  1. Principle of Least Privilege: We adhere to the principle of least privilege, which means that users and systems are granted the minimum levels of access – or permissions – needed to perform their functions. This minimizes the potential impact of any security breach.

  2. Regular Access Reviews: We conduct regular reviews of access rights to ensure that permissions remain appropriate as roles change within our organization.

  3. Audit Logging: All sensitive actions, such as changes to system configurations or modifications to access rights are logged and monitored.

Vulnerability Management

At Freeplay, we take a proactive approach to vulnerability management:

  1. Continuous Scanning: We employ advanced tools to conduct continuous vulnerability scanning across our entire infrastructure. This allows us to identify potential weaknesses in real-time.

  2. Regular Penetration Testing: We engage third-party security experts to perform regular penetration testing. These tests simulate real-world attack scenarios, helping us uncover and address vulnerabilities that automated scans might miss.

  3. SLA-Driven Resolution: Our team adhere to a Service Level Agreement (SLA) for addressing vulnerabilities.

Data Isolation

We've implemented tenant isolation at the database layer using row-level security. This ensures that each customer's data remains strictly segregated, preventing any unauthorized access or data leakage between different tenants sharing our infrastructure.

Multi-Factor Authentication Requirement

We require Multi-Factor Authentication (MFA) for all users of Freeplay systems. This is not optional, as it adds an extra layer of protection to your account.

Private Hosting

For customers with heightened security requirements, we offer a private hosting solution. This uses a single tenant deployment along with a secure and highly available site-to-site VPN connection. It allows you to keep your data within your own infrastructure, providing an additional layer of control and security. Learn more about our private hosting option.

Updated 6 months ago