In addition, we are committed to delivering the highest levels of standards conformance and regulatory compliance as part of our ongoing mission to address the most demanding security and privacy requirements in the world.
More and more organizations—from commercial startups to public utilities for entire nations—trust Inrupt with their sensitive applications and data to enable safe innovation and market expansion.
At Inrupt, we believe that in order to move from the well-intentioned verbiage of current privacy laws to the actual implementation of effective user privacy, we need to design and build technology that enables real structural change.
Inrupt utilizes the personal data store (Pod) model of Solid to operationalize a fundamentally new framework for data privacy and security, to help our clients build trust throughout the lifecycle of personal data. We design for trust using the highest standards of ethics and care to foster privacy and maintain the security of personal data. We also strive to continually learn, refine, and iterate to enable meaningful and customized collaborations with our clients.
Inrupt enables organizations to realize the potential of the Solid specification. Our Pods are designed to be trusted with your most sensitive data and to remove risk from platform operators.
Through use of the Pod model, you can limit personal data access to those who truly need it. Remote key management, PII-free logs, and an infrastructure-as-code design, mean that third-party technology providers can provide their services without accessing Pod data.
Pods also enable our clients to easily determine where in the world their user data will be stored. Cloud storage providers can be physically located, and legally incorporated, within a strict geographic zone. The control over where your data lives, and how it is stored, enables easy compliance with data transfer and localization requirements and makes it easier to comply with national data privacy laws.
Inrupt is committed to protecting the privacy of data stored in our products. Any data stored by our products adheres to principles of role-based access control (RBAC) and multi-factor authentication (MFA). Access to infrastructure for the reliability of a service is restricted tightly and monitored using both logical controls and management processes.
Inrupt takes a systematic approach to developing software to help ensure quality, reliability, and security. Security measures are implemented across every phase of the development cycle as a means to mitigate vulnerabilities and protect against potential threats.
Scoping: Requirements are gathered and defined, such as data sensitivity, controlled access, and regulatory compliance requirements. Stakeholders work with security experts to ensure concerns are raised and addressed from the outset.
Design: Security architecture and controls are planned. Threat modeling sessions identify potential risks and vulnerabilities. Security controls such as authentication, authorization, and auditing are designed and integrated into any architecture.
Development: Staff use secure coding practices and guidelines, secure APIs, and employ input validation techniques to detect and prevent common security flaws such as injection attacks, cross-site scripting (XSS), or cross-site request forgery (CSRF). Static code analysis tools help detect vulnerabilities early in this phase.
Testing: Various techniques such as vulnerability scans, penetration tests, and code reviews are performed on a regular basis to help identify and rectify weaknesses. Both dynamic application security testing (DAST) and static application security testing (SAST) tools are used.
Deployment: Secure configuration practices implemented during deployment involve hardening the software and its supporting infrastructure, such as properly configuring traffic filtering, access controls, and encryption settings. Continuous monitoring tools are employed to detect and respond to potential security incidents.
Maintenance: Patches and security updates are monitored and applied promptly to address discovered vulnerabilities. Regular periodic security audits and vulnerability assessments help track status.
User Training and Awareness: Regular education sessions and documentation cover topics including secure password management, data handling, and social engineering threats. Awareness campaigns foster a safety culture within the organization.
Thus, security measures are fundamental to every stage of the SDLC process, meant to ensure that software is developed using proper security standards of care. Integrating security into each phase not only minimizes vulnerabilities, protects sensitive data, and builds secure software but it also is designed to meet or exceed important industry standards and regulatory requirements. Throughout the SDLC access controls and privilege management detect and prevent unauthorized access. Strong encryption algorithms protect data at rest and in transit. Secure development frameworks and libraries are employed to leverage tried-and-tested security features. Secure DevOps practices are how security is integrated all the way to the operation end of the process. Inrupt promotes collaborations between developers, operations, and security teams, enabling continuous security monitoring, automated security testing, and faster response to emerging threats.
Inrupt configures Solid Pods to extend beyond the specific requirements of these regulations in order to animate the key values at their core: transparency, control and trust. Solid Pods enable organizations to comply effectively and intuitively with the requirements of global privacy laws like the GDPR, CCPA (and CPRA), PIPEDA, and many others. Solid Pods provide a system that is built to enable privacy functionality and that can help organizations to both meet and exceed the current legal requirements, and can scale and adapt as legal requirements continue to evolve.
Inrupt is not able to technically or contractually access Pod data. The operational processing of data takes place in the territory of an ESS deployment on IaaS under the responsibility of an operator from that region under relevant law.
Please contact security@inrupt.com with any questions.
