Security & Compliance
FireBackup is built with security as a foundational principle. This document details our security architecture, encryption standards, compliance certifications, and best practices for securing your backup infrastructure.
Security Overview
FireBackup implements defense-in-depth security with multiple layers of protection:
Security Layers:
Layer 1: Network Security
- TLS 1.3 encryption in transit
- DDoS protection
- WAF (Web Application Firewall)
Layer 2: Application Security
- OAuth 2.0 / JWT authentication
- RBAC authorization
- Input validation & sanitization
Layer 3: Data Security
- AES-256-GCM encryption at rest
- Customer-managed encryption keys (BYOK)
- Secure key management
Layer 4: Infrastructure Security
- VPC isolation
- Private networking
- Regular security updates
Encryption
Encryption at Rest
All backup data is encrypted using industry-standard AES-256-GCM encryption:
| Property | Specification |
|---|---|
| Algorithm | AES-256-GCM |
| Key Size | 256 bits |
| IV Size | 96 bits (12 bytes) |
| Auth Tag | 128 bits (16 bytes) |
| Key Derivation | PBKDF2-HMAC-SHA256 |
How It Works:
Encryption in Transit
All data transmission uses TLS 1.3:
| Connection | Encryption |
|---|---|
| API requests | TLS 1.3 |
| WebSocket connections | WSS (TLS) |
| Storage uploads | TLS 1.2+ |
| Database connections | TLS with certificate verification |
| Redis connections | TLS (optional) |
Bring Your Own Key (BYOK)
Enterprise customers can manage their own encryption keys:
# Generate a secure key
openssl rand -base64 32 > encryption.key
# Configure in FireBackup
export ENCRYPTION_KEY=$(cat encryption.key)
Key Management Best Practices:
- Store keys in a secure key management system (AWS KMS, HashiCorp Vault)
- Rotate keys periodically (recommended: annually)
- Maintain key backups in secure, separate locations
- Use different keys for different environments
Authentication & Authorization
OAuth 2.0 Authentication
FireBackup uses Google OAuth 2.0 for secure authentication:
JWT Token Security
| Property | Value |
|---|---|
| Algorithm | RS256 or HS256 |
| Token Expiry | 24 hours (configurable) |
| Refresh Token | 7 days |
| Token Storage | HTTP-only secure cookies |
Role-Based Access Control (RBAC)
FireBackup implements organization-scoped RBAC:
| Role | Description | Permissions |
|---|---|---|
| Owner | Organization owner | Full access, billing, delete org |
| Admin | Organization administrator | Manage projects, storage, team members |
| Member | Standard team member | Create backups, view projects |
| Viewer | Read-only access | View backups and logs |
Permission Matrix:
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View projects | ✅ | ✅ | ✅ | ✅ |
| Create backups | ✅ | ✅ | ✅ | ❌ |
| Restore backups | ✅ | ✅ | ❌ | ❌ |
| Manage schedules | ✅ | ✅ | ✅ | ❌ |
| Configure storage | ✅ | ✅ | ❌ | ❌ |
| Manage team | ✅ | ✅ | ❌ | ❌ |
| Access billing | ✅ | ❌ | ❌ | ❌ |
| Delete organization | ✅ | ❌ | ❌ | ❌ |
Data Protection
Data Handling Principles
| Principle | Implementation |
|---|---|
| Minimization | Only collect data necessary for backup operations |
| Encryption | All data encrypted in transit and at rest |
| Isolation | Multi-tenant data isolation via organization scoping |
| Retention | Configurable retention policies |
| Deletion | Secure deletion with verification |
Backup Data Flow
Security Notes:
- Data never stored unencrypted on FireBackup servers
- You control your backups in your storage
Data Residency
FireBackup supports data residency requirements:
| Region | Storage Location | Compliance |
|---|---|---|
| US | us-east-1, us-west-2 | SOC 2, HIPAA |
| EU | eu-west-1, eu-central-1 | GDPR |
| Asia-Pacific | ap-southeast-1 | Local requirements |
For self-hosted deployments, you have complete control over data residency.
Compliance
SOC 2 Type II
FireBackup maintains SOC 2 Type II compliance covering:
- Security: Protection against unauthorized access
- Availability: System availability per SLA
- Confidentiality: Protection of confidential information
- Processing Integrity: Complete and accurate processing
- Privacy: Personal information protection
GDPR Compliance
| Requirement | Implementation |
|---|---|
| Lawful basis | Contractual necessity |
| Data minimization | Only backup-relevant data |
| Storage limitation | Configurable retention |
| Right to erasure | Delete functionality |
| Data portability | Export functionality |
| Security measures | Encryption, access controls |
| Breach notification | Incident response process |
Data Processing Agreement (DPA):
Enterprise customers can request a DPA covering:
- Data processing terms
- Sub-processor list
- Security measures
- Audit rights
HIPAA Compliance
For healthcare organizations handling PHI:
| Requirement | Implementation |
|---|---|
| Access controls | RBAC with audit logging |
| Encryption | AES-256-GCM at rest |
| Audit logs | Comprehensive activity logging |
| Transmission security | TLS 1.3 |
| Business Associate Agreement | Available for Enterprise |
PCI-DSS Considerations
For organizations handling payment data:
| Requirement | Implementation |
|---|---|
| Secure transmission | TLS 1.3 |
| Encryption | AES-256-GCM |
| Access restriction | Role-based access |
| Activity monitoring | Audit logs |
| Vulnerability management | Regular updates |
Audit Logging
What We Log
FireBackup maintains comprehensive audit logs:
| Event Category | Events Logged |
|---|---|
| Authentication | Login, logout, failed attempts |
| Authorization | Permission changes, role updates |
| Data Access | Backup creation, downloads, restores |
| Configuration | Settings changes, storage updates |
| Administration | User management, org changes |
Audit Log Format
{
"id": "log_abc123",
"timestamp": "2024-01-15T10:30:45.123Z",
"action": "backup.created",
"actor": {
"type": "user",
"id": "usr_abc123",
"email": "user@example.com"
},
"resource": {
"type": "backup",
"id": "bkp_xyz789"
},
"organization": {
"id": "org_abc123"
},
"context": {
"ip": "192.168.1.1",
"userAgent": "Mozilla/5.0...",
"location": "US"
},
"details": {
"projectId": "proj_abc123",
"backupType": "full",
"collections": ["users", "orders"]
}
}
Log Retention
| Plan | Retention Period |
|---|---|
| Starter | 30 days |
| Professional | 90 days |
| Enterprise | 1 year (configurable) |
Exporting Audit Logs
# Export audit logs via API
curl -X GET "https://api.firebackup.io/api/v1/audit-logs?from=2024-01-01&to=2024-01-31" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Accept: application/json"
# Export as CSV
curl -X GET "https://api.firebackup.io/api/v1/audit-logs/export?format=csv" \
-H "Authorization: Bearer YOUR_API_KEY" \
-o audit-logs.csv
Security Best Practices
API Key Security
| Practice | Description |
|---|---|
| Rotate regularly | Rotate API keys every 90 days |
| Limit scope | Use scoped keys for specific operations |
| Secure storage | Store in secrets manager, not code |
| Monitor usage | Track API key usage patterns |
| Revoke promptly | Remove access immediately when compromised |
Access Control Best Practices
Access Control Checklist:
-
✅ Use least-privilege principle
- Grant minimum necessary permissions
-
✅ Enable multi-factor authentication
- Require MFA for all admin accounts
-
✅ Regular access reviews
- Audit user permissions quarterly
-
✅ Remove inactive users
- Disable accounts after 90 days of inactivity
-
✅ Separate environments
- Use different organizations for prod/staging
-
✅ Monitor suspicious activity
- Set up alerts for unusual access patterns
Encryption Key Management
Key Management Best Practices:
-
✅ Use a key management service
- AWS KMS
- Google Cloud KMS
- HashiCorp Vault
- Azure Key Vault
-
✅ Implement key rotation
- Rotate encryption keys annually
-
✅ Maintain key backups
- Secure, tested backup procedure
-
✅ Document key custody
- Clear ownership and access records
-
✅ Plan for key recovery
- Tested recovery procedure
Vulnerability Management
Security Testing
| Type | Frequency | Scope |
|---|---|---|
| Automated scanning | Continuous | All code changes |
| Dependency scanning | Daily | Third-party packages |
| Penetration testing | Annual | Full application |
| Security audits | Annual | Infrastructure & code |
Responsible Disclosure
We welcome security researchers to report vulnerabilities:
Reporting Process:
- Email security@firebackup.io
- Include detailed description
- Provide steps to reproduce
- Allow 90 days for remediation
What We Commit To:
- Acknowledge receipt within 24 hours
- Provide status updates every 7 days
- Credit researchers (with permission)
- No legal action for good-faith research
Incident Response
Incident Classification
| Severity | Description | Response Time |
|---|---|---|
| Critical | Data breach, service compromise | 1 hour |
| High | Security vulnerability, service degradation | 4 hours |
| Medium | Potential security issue | 24 hours |
| Low | Minor security improvement | 7 days |
Response Process
Incident Response Process:
Compliance Certifications
Current Certifications
| Certification | Status | Last Audit |
|---|---|---|
| SOC 2 Type II | ✅ Active | 2024 |
| ISO 27001 | 🔄 In Progress | - |
| HIPAA | ✅ Available (Enterprise) | 2024 |
| GDPR | ✅ Compliant | - |
Requesting Compliance Documents
Enterprise customers can request:
- SOC 2 Type II Report
- Penetration Test Summary
- Data Processing Agreement (DPA)
- Business Associate Agreement (BAA)
- Security Questionnaire Responses
Contact security@firebackup.io for document requests.
Security FAQ
Is my data encrypted?
Yes, all backup data is encrypted with AES-256-GCM before being stored. Data is also encrypted in transit using TLS 1.3.
Where are backups stored?
Backups are stored in your own cloud storage accounts (AWS S3, Google Cloud Storage, or DigitalOcean Spaces). FireBackup only processes the data; you retain full control of storage.
Can FireBackup employees access my data?
No. Your backup data is encrypted with keys that you control. Even if accessed, the data is unreadable without your encryption key.
How long is data retained?
Data retention is fully configurable. You control how long backups are kept through retention policies.
Is FireBackup SOC 2 compliant?
Yes, FireBackup maintains SOC 2 Type II compliance. Enterprise customers can request our audit report.
Can I use my own encryption keys?
Yes, Enterprise customers can use Bring Your Own Key (BYOK) for complete control over encryption.
Related Documentation
- Architecture Overview - System architecture
- PITR Compliance Tutorial - Compliance configuration
- Self-Hosted Security - Self-hosted security
- API Authentication - API security