Trusted by industry leaders and Fortune 500 companies, CoLab is built to the highest standards of security and data protection—adopting a security-first approach to product development and infrastructure design, while giving end users the safest possible method to review critical data with their team and external partners.
We take security—and the protection of our customers’ most sensitive Intellectual Property and data—very seriously. CoLab has adopted secure software development practices as well as information/data protection and cybersecurity controls, as defined by the National Institute of Standards and Technology (NIST) and ISO 27002. To demonstrate and validate the effectiveness of our security controls and processes, CoLab is working with the appropriate accredited bodies to actively pursue CyberSecure Canada certification, as well as SOC 2 compliance. We are on track to receive both designations during 2021.
CoLab offers many security features including SAML SSO, robust authentication, and role-based access controls. All these security features are paired with the most secure application model for day-to-day usage by your end users. CoLab customers have control over sharing, downloading, and access permissions at the admin level—ensuring your most valuable assets never land in the wrong hands.
CoLab offers, and encourages, SAML Single Sign-on (SSO). This allows customer administrators to authorize user access to CoLab directly from their existing identity provider/SSO solution, with support for all major identity providers.
Access to models, drawings, and derivative data are contained within workspaces that are governed by role-based access control (RBAC). User roles in CoLab’s RBAC system are: Creator, Collaborator, Viewer, and Admin.
CoLab uses an industry-recognized, trusted, and secure authentication and authorization service. By providing our customers with a robust solution for user authentication, we help you protect critical identity data. CoLab never stores passwords as clear text—they're always securely hashed and salted using an industry-standard password hashing algorithm. All network communication with CoLab’s authentication and authorization service uses transport layer security (TLS) with advanced encryption standard (AES) encryption.
CoLab has 99.5% or higher uptime
CoLab’s security program and its supporting security architecture are built on the foundations of ISO 27002, SOC 2, applicable NIST security controls, and AWS security best practices. In this way, we achieve a level of protection we’re proud to call Security as a Solution.
CoLab uses Canadian AWS data centres. The data and services are hosted in Amazon Web Services (AWS) facilities within Canada.
CoLab’s Security Team is on call 24/7 to respond to critical security alerts and events.
CoLab has designed multiple layers of security monitoring to detect anomalous behaviour. When incidents and security events exceed predetermined thresholds, our Security Team is on-duty 24/7 to take immediate action.
CoLab has designed and implemented a multi-layer approach to web application security using an industry-leading provider of web application and internet security services—including web application firewall (WAF)—for network edge defenses, along with AWS protection tools and industry-standard security solutions that add a deeper layer of protection.
Access to CoLab production infrastructure is restricted on an explicit need-to-know basis, utilizes least privilege, is continuously audited and monitored, and is controlled by a request and authorization process. Employees accessing CoLab production infrastructure are required to use multiple factors of authentication and strict technical and administrative controls.
CoLab was built with disaster recovery in mind. Where service support exists, we use no less than two AWS Canada availability zones. Our disaster recovery process and backups are tested a minimum of two times annually.
All CoLab servers are within our own virtual private cloud (VPC). Network access control lists (ACLs) and security groups are properly implemented.
All customer data files are backed up in real-time. All data stored within CoLab databases gets backed up every 12 hours, plus immediately before any major product update.
On an application level, CoLab produces audit logs for all activity and ships logs to a SIEM (security information and event management) service for analysis, using S3 for archival of critical security logs. All actions taken on CoLab’s production infrastructure or AWS services are logged.
Access to customer data is strictly limited to authorized privileged employees who require access for their job responsibilities.
CoLab uses third-party security tools to continuously scan our codebase for vulnerabilities, addressing applicable vulnerabilities as they are found. Our Security Team includes trained and certified penetration testers who regularly test CoLab’s web application and infrastructure security. Additionally, CoLab engages independent third-party security experts to perform annual detailed penetration tests.
All critical security and system alerts are escalated to CoLab’s Security and DevOps Teams, providing the necessary security operations, network, and infrastructure coverage. Applicable employees are trained on security incident response processes, including communication channels and escalation paths.
CoLab has established extensive processes and controls to ensure application security. Every CoLab developer receives security awareness training and follows common secure development best practices, such as those defined by OWASP.
At least once per year, developers participate in secure code training which covers the OWASP Top 10 security risks, common attack vectors, and CoLab security controls. CoLab’s development codebase is continuously scanned for vulnerabilities using automated vulnerability scanning. We address all identified vulnerabilities as they are discovered.
CoLab leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and other common vulnerabilities.
Our Quality Assurance (QA) Team continuously reviews and tests our codebase. Dedicated, on-staff penetration testers regularly test for security vulnerabilities in our application code and infrastructure.
Testing and staging environments are logically separated from the production environment. No customer data is used in our development or test environments.
At CoLab we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and administrative controls.
All employees complete Security Awareness training during onboarding and refresh their training annually.
CoLab has developed a comprehensive set of security policies based on CyberSecure Canada, SOC 2, and ISO 27002. These policies are updated as needed, reviewed annually, and communicated clearly to all employees.
CoLab performs comprehensive background checks on all new employees as a condition of employment. The background check includes federal and local criminal background checks, as well as employment verification and reference checks.
All employee and third-party contracts include a confidentiality agreement.
CoLab has built its information protection and cybersecurity program from the ground up, with the clear aim of CyberSecure Canada certification and SOC 2 compliance. We implement best-practice protection and detection controls, based on well-defined industry standards, to ensure our compliance with applicable regulations of all levels.
As well as our commitments to CyberSecure Canada and SOC 2, CoLab Software is registered in Canada’s Controlled Goods Program (CGP) and is actively working towards CMMC/ITAR readiness.
We’re meticulously proactive about security and keeping your data safe. But if you have any questions or concerns, we take each one seriously. Please email firstname.lastname@example.org to talk to our Security Team.