Security & Privacy
Security and privacy policy at Fragment
Last updated: April 16th, 2024
Author: Guillaume Genthial, Fragment CTO
Introduction
At Fragment, we are committed to ensuring the highest standards of security and privacy for our customers and their data.
This document outlines the measures we have implemented to protect your data, as well as the procedures we follow to ensure compliance with relevant regulations and best practices.
1. API Security
Fragment’s API is designed with robust security measures to safeguard your data during transit and authentication.
- All data transmitted between Fragment’s servers and Fragment’s clients (Chrome Extension and Web App) or customer systems is encrypted using industry-standard HTTPS protocols, ensuring data integrity and confidentiality.
- Fragment leverages AWS Cognito for authentication, providing a secure and scalable user management solution. AWS Cognito is responsible for issuing JWT tokens.
We can also issue customer specific API keys for developer access. Those keys should be kept secure. Those keys make it possible to access the public API.
2. Chrome Extension Security & Privacy
We understand the importance of maintaining user privacy and ensuring the integrity of your systems. Here’s how we address security concerns related to our Chrome extension:
- Our Chrome extension is designed to enhance your experience without compromising your privacy.
- The extension source code can be audited if requested. It’s also straightforward to inspect network payloads from the extension background worker (accessible from
chrome://extensions
) to confirm that no sensitive data is ever being pushed to remote servers. - The content script only exposes necessary buttons through message passing to the service worker. It does not read user data, track user behavior, or perform any unauthorized actions.
- The Chrome extension can be configured (at the customer’s request only) to track visited URLs on a subset of websites.
- Our implementation adheres to the manifest v3 standard, which enforces a stringent Content Security Policy. Additional details can be found on the Chrome Developer’s Website.
- The Chrome extension requires the following permissions:
"activeTab", "tabs", "storage", "scripting", "identity", "idle"
.
3. Authentication Methods
Fragment supports multiple authentication methods to cater to your specific needs:
-
AWS Cognito with password-based authentication offers a secure way for users to access the platform. It uses the Secure Remote Protocol (SRP) for password authentication.
We follow the default AWS password policy (8 characters minimum, with at least 1 uppercase, 1 lowercase, 1 special character, and 1 number).
-
We also provide federated sign-in options, currently supporting Google authentication, and are adding adding additional options, such as Azure AD.
-
Our Access and ID tokens adhere to an industry-standard expiration of 36000 seconds, ensuring secure and timely access. Refresh tokens, providing extended access, expire after a duration of 30 days. In addition, tokens can be revoked administratively through our dashboard.
-
Currently, new account signups are exclusively facilitated by the Fragment team. Establishing a connection between a new account and a Cognito user is enabled through an invitation code, generated as a 32-hex character random secret. These invitation codes maintain validity for a span of 30 days and are applicable solely to the registered new account email.
Both approaches employ the Authorization Code Grant flow. JWT tokens are securely stored in the extension’s local storage, ensuring they remain inaccessible from external sources and immune to cross-site scripting threats due to their non-exposure within the content script. Additionally, we take precautionary measures by maintaining a restricted web_accessible_resources
to prevent any potential malicious access.
4. Data Hosting and Subprocessors
We take data hosting seriously and rely on Amazon Web Services (https://aws.amazon.com) and Render (https://render.com) to ensure the highest level of security:
- Your data is hosted in AWS’s Paris data center (eu-west-3) and Render’s EU region (Frankfort, EU Central), which adheres to stringent security standards and compliance frameworks.
- Render’s databases are not accessible from the internet and communicate with web services using private network communication. See https://docs.render.com/private-network.
- We currently employ a “one table per customer” approach, further enhancing data isolation. This strategy ensures that each customer’s data remains distinct and isolated, reducing the possibility of cross-customer leakage and maintaining the highest level of data security.
- We use PostHog for product analytics on our web app (https://app.onfragment.com). Session data is stored on EU servers and is automatically deleted after 1 month.
5. Internal Security
Fragment employs rigorous internal security measures to protect against unauthorized access:
- Only authorized Fragment team members have access to the Cloud services account.
- Two-Factor Authentication (2FA) is enforced for Cloud services account access.
- All laptops used by Fragment team members are password protected to prevent unauthorized access.
- To safeguard sensitive secrets, Fragment team members utilize 1Password, effectively preventing any unintended dissemination of confidential information through inappropriate channels.
New Hire Vetting and Security Onboarding
- New hires will undergo a rigorous vetting process that includes background checks and assessments to ensure the integrity of our team.
- Once onboarded, every employee will receive comprehensive security training tailored to our policies and practices. This will equip them with the knowledge and tools necessary to maintain a secure work environment and uphold our commitment to safeguarding your data.
6. Data Processing, GDPR, CCPA and PDPA Compliance
We are dedicated to safeguarding your data privacy and upholding the standards set forth by both GDPR, CCPA, and Singapore’s Personal Data Protection Act (PDPA) regulations:
- We select our sub-processors and 3rd party tools to be GDPR and SOC2 compliant.
- Fragment processes the minimum necessary data, such as URLs and metadata for task dispatch.
- We are fully committed to transparent data processing and ensuring that all your data is managed in strict accordance with the guidelines outlined by GDPR, CCPA, and PDPA.
- Your data ownership and privacy are of utmost importance to us. If you wish to have your data removed, we will promptly erase all relevant information from our systems. This practice ensures that your data remains within your control and aligns with the stipulations of relevant data protection regulations. For any inquiries or requests concerning your data (including copies, deletions, etc.), please reach out to us at support@checkfragment.com
- As a California resident, you have the right, in accordance with CCPA, to be informed about the specific categories of data that we process, even though Fragment does not collect or sell personal information. This includes understanding the purpose behind the limited data we handle and the option to opt out of any hypothetical sale of personal information, although we want to emphasize that we do not engage in such activities. Should you wish to exercise any CCPA rights, please feel free to reach out to us at the provided email address: support@checkfragment.com
- For our users in the European Economic Area (EEA) and beyond, our adherence to GDPR ensures that you have the right to access your personal data, request its rectification, erasure, or restriction, and object to its processing
Guillaume Genthial, our CTO, serves as our Data Protection Officer (DPO). You can contact him directly via email at guillaume@checkfragment.com for any matters related to data protection and privacy.
7. Integration Approaches
We provide versatile integration choices tailored to your preferences:
- API Integration: Fragment customers have the option to utilize the Fragment API for tasks management, allowing tasks to be created, updated, or deleted seamlessly.
- Reverse Integration: Fragment also offers the ability to synchronize with your current database or ticketing system. Notable past integrations include periodic polling of the HubSpot API at intervals of 1 minute, facilitating synchronization of tasks, tickets, and deals metadata.
8. Incident Reporting
In the event of a security breach, Fragment follows a robust protocol.
We notify customers as soon as possible (within 48 hours at most). We secure affected accounts by revoking access, security keys, potentially pause live applications, and preserve evidence during and after the breach.
Our top priority is to swiftly address the situation, minimize impact, and maintain transparency throughout the process.
9. Data Classification Matrix
Data Category | Data Attributes | Access Controls | Storage and Retention | Handling and Sharing Guidelines | Security Measures |
---|---|---|---|---|---|
User Credentials | Private, Secure | Restricted to issuers | Hashed & salted storage | Encrypted transmission, restricted use | Strong encryption, access logs, limited usage |
Fragment Data | Tasks (URL, Metadata), Logs | Internal users with relevant roles | Internal systems | Limited sharing, encrypted internal transit | Role-based access, password protection, user isolation |
Conclusion
At Fragment, security and privacy are paramount. We’ve implemented robust security measures across our platform, adhering to industry best practices and regulatory requirements. If you have any further questions or concerns regarding our security and privacy practices, please don’t hesitate to reach out to us. We are here to ensure your data remains safe and your experience with Fragment is secure and seamless.