Security as a Solution

Protecting your data goes beyond a basic checkbox—that's why it's our top priority.

Trusted by industry leaders and Fortune 500 companies, CoLab is built to the highest standards of security and data protection—adopting a security-first approach to product development and infrastructure design, while giving end users the safest possible method to review critical data with their team and external partners.

Security and Privacy

We take security—and the protection of our customers’ most sensitive Intellectual Property and data—very seriously. CoLab has adopted secure software development practices as well as information/data protection and cybersecurity controls, as defined by the National Institute of Standards and Technology (NIST) and ISO 27002. To demonstrate and validate the effectiveness of our security controls and processes, CoLab is working with the appropriate accredited bodies to actively pursue CyberSecure Canada certification, as well as SOC 2 compliance. We are on track to receive both designations during 2021.

Product Security and Reliability

CoLab offers many security features including SAML SSO, robust authentication, and role-based access controls. All these security features are paired with the most secure application model for day-to-day usage by your end users. CoLab customers have control over sharing, downloading, and access permissions at the admin level—ensuring your most valuable assets never land in the wrong hands.

SSO

CoLab offers, and encourages, SAML Single Sign-on (SSO). This allows customer administrators to authorize user access to CoLab directly from their existing identity provider/SSO solution, with support for all major identity providers.

Role-Based Access Control

Access to models, drawings, and derivative data are contained within workspaces that are governed by role-based access control (RBAC). User roles in CoLab’s RBAC system are: Creator, Collaborator, Viewer, and Admin.

Authentication

CoLab uses an industry-recognized, trusted, and secure authentication and authorization service. By providing our customers with a robust solution for user authentication, we help you protect critical identity data. CoLab never stores passwords as clear text—they're always securely hashed and salted using an industry-standard password hashing algorithm. All network communication with CoLab’s authentication and authorization service uses transport layer security (TLS) with advanced encryption standard (AES) encryption.

Uptime

CoLab has 99.5% or higher uptime

Cloud Security

CoLab’s security program and its supporting security architecture are built on the foundations of ISO 27002, SOC 2, applicable NIST security controls, and AWS security best practices. In this way, we achieve a level of protection we’re proud to call Security as a Solution.

Physical Security and Data Hosting

CoLab uses Canadian AWS data centres. The data and services are hosted in Amazon Web Services (AWS) facilities within Canada.

Dedicated Security Team

CoLab’s Security Team is on call 24/7 to respond to critical security alerts and events.


Intrusion Detection and Prevention

CoLab has designed multiple layers of security monitoring to detect anomalous behaviour. When incidents and security events exceed predetermined thresholds, our Security Team is on-duty 24/7 to take immediate action.


Web Application Security

CoLab has designed and implemented a multi-layer approach to web application security using an industry-leading provider of web application and internet security services—including web application firewall (WAF)—for network edge defenses, along with AWS protection tools and industry-standard security solutions that add a deeper layer of protection.

Logical Access

Access to CoLab production infrastructure is restricted on an explicit need-to-know basis, utilizes least privilege, is continuously audited and monitored, and is controlled by a request and authorization process. Employees accessing CoLab production infrastructure are required to use multiple factors of authentication and strict technical and administrative controls.

Failover and Disaster Recovery

CoLab was built with disaster recovery in mind. Where service support exists, we use no less than two AWS Canada availability zones. Our disaster recovery process and backups are tested a minimum of two times annually.


Virtual Private Cloud

All CoLab servers are within our own virtual private cloud (VPC). Network access control lists (ACLs) and security groups are properly implemented.


Backups

All customer data files are backed up in real-time. All data stored within CoLab databases gets backed up every 12 hours, plus immediately before any major product update.


Monitoring

On an application level, CoLab produces audit logs for all activity and ships logs to a SIEM (security information and event management) service for analysis, using S3 for archival of critical security logs. All actions taken on CoLab’s production infrastructure or AWS services are logged.


Permissions and Authentication

Access to customer data is strictly limited to authorized privileged employees who require access for their job responsibilities.

Encryption

All data sent to or from CoLab is encrypted in transit. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. Additionally, all customer data uploaded to CoLab is encrypted at rest using an industry-standard AES-256 encryption algorithm.

Pentests and Vulnerability Scanning

CoLab uses third-party security tools to continuously scan our codebase for vulnerabilities, addressing applicable vulnerabilities as they are found. Our Security Team includes trained and certified penetration testers who regularly test CoLab’s web application and infrastructure security. Additionally, CoLab engages independent third-party security experts to perform annual detailed penetration tests.


Security Incident Response

All critical security and system alerts are escalated to CoLab’s Security and DevOps Teams, providing the necessary security operations, network, and infrastructure coverage. Applicable employees are trained on security incident response processes, including communication channels and escalation paths.


Application Security

CoLab has established extensive processes and controls to ensure application security. Every CoLab developer receives security awareness training and follows common secure development best practices, such as those defined by OWASP.

Secure Code Development (SDLC)

At least once per year, developers participate in secure code training which covers the OWASP Top 10 security risks, common attack vectors, and CoLab security controls. CoLab’s development codebase is continuously scanned for vulnerabilities using automated vulnerability scanning. We address all identified vulnerabilities as they are discovered.


Framework Security Controls

CoLab leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and other common vulnerabilities.

Quality Assurance

Our Quality Assurance (QA) Team continuously reviews and tests our codebase. Dedicated, on-staff penetration testers regularly test for security vulnerabilities in our application code and infrastructure.

Separate Environments

Testing and staging environments are logically separated from the production environment. No customer data is used in our development or test environments.


HR Security

At CoLab we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and administrative controls.

Training

All employees complete Security Awareness training during onboarding and refresh their training annually.



Policies

CoLab has developed a comprehensive set of security policies based on CyberSecure Canada, SOC 2, and ISO 27002. These policies are updated as needed, reviewed annually, and communicated clearly to all employees.

Employee Screening

CoLab performs comprehensive background checks on all new employees as a condition of employment. The background check includes federal and local criminal background checks, as well as employment verification and reference checks.

Confidentiality

All employee and third-party contracts include a confidentiality agreement.



Compliance

CoLab has built its information protection and cybersecurity program from the ground up, with the clear aim of CyberSecure Canada certification and SOC 2 compliance. We implement best-practice protection and detection controls, based on well-defined industry standards, to ensure our compliance with applicable regulations of all levels.

As well as our commitments to CyberSecure Canada and SOC 2, CoLab Software is registered in Canada’s Controlled Goods Program (CGP) and is actively working towards CMMC/ITAR readiness.



Privacy and Terms of Service

For more information on our approach to privacy, or to view the detailed CoLab Terms and Conditions, see here:

Privacy at CoLab 
CoLab Terms and Conditions



Security Concern?

We’re meticulously proactive about security and keeping your data safe. But if you have any questions or concerns, we take each one seriously. Please email securityteam@colabsoftware.com to talk to our Security Team.

CoLab

The fastest way to share and review CAD.