Public Information Security Bulletin Take Blip January 07, 2021 20:08 Updated Last update: September 2020 1. Mission and Responsibilities 1.1 Mission Ensure the availability, integrity and confidentiality of information. 1.2 Team responsibilities The responsibilities of the security teams are thus distributed, but not limited, to the following topics: Security Operations Center (SOC) Data Protection Privacy Application Security Cloud Security Penetration Tests Incident Investigation Access Control and Identities Compliance and Security Auditing Security Incident Management Risk assessment Targeting good practices 2. Blip security 2.1 SAST static code analysis Every compilation pipeline undergoes static code analysis. With this tool, categories of software defects are evaluated, including: code smells, vulnerabilities, and security hotspots. 2.2 SCA Analysis - Software Composition Analysis Verification of component software, libraries, and search for vulnerabilities is performed. 2.3 Pull Request Analysis and Approval The development teams when finalizing codifications, whether of new implementations or correction of software defects, commit the code and send pull requests, which are evaluated by the tech lead of your squad. 2.4 Protection of source codes The source codes are stored in a private Git repository, with authorized access using integrated authentication. 2.5 Segregation of environments There is a separation of the development, approval and production environments, each with their respective access permissions. The productive environment follows the concept of the least privilege. 2.6 Encryption of data in transit Data in transit across the platform uses TLS 1.2 in its HTTP communication by default. Connections to banks also have encryption in transit. 2.7 Secrets management Sensitive application information such as API keys and database passwords are stored in a password vault with activity log and restricted network access. The safe in the production environment follows the minimum privilege as described in item 3.1. 2.8 Exchange of files in Blip The media that travel on Blip are subjected to antivirus analysis and cannot exceed 20 megabytes. Some types of potentially malicious files, such as executables and libraries, are also blocked. 2.9 Execution of pentest Take Blip every six months to contract an outsourced company for independent execution of gray box pentest of the Blip application. Proof letters can be requested from Take Blip's Information Security team. 3. Cloud security 3.1 Minimum privilege Access to the cloud environment requires a second authentication factor by default. Data considered sensitive depends on VPN access for access or that the computer is physically on Take Blip's internal networks. Production subscriptions have restricted access, only tech leads access data and assets, with the exception that audit data such as access logs remain restricted to infrastructure and security teams. 3.2 Logs of Actions and Activities Logs of actions and activities such as modifying settings, creating and deleting assets from production subscriptions are maintained to allow audits and investigations whenever necessary. 3.3 Monitoring There is monitoring of actions through a dashboard where the compliance of the environment with regard to the current security policies is inspected. Policies are enforced by enforcement whenever possible. 3.4 Safety certifications The cloud environments used by Take Blip in the provision of services meet the strictest security requirements, which are audited and certified. 4. Data Security 4.1 Cryptography Relational databases are all encrypted on disk and in transit. 4.2 Anonymization Information is anonymized whenever possible with respect to privacy. Anonymization, when necessary, is performed due to the mapping of sensitive data existing in relational databases. 4.3 Access logs and change log Access logs and record changes are maintained for auditing purposes when needed from all production relational databases. The logs are kept for five years. 4.4 Backups Backup of production relational databases is performed automatically every day with a seven-day retention. 4.5 Location of Data Databases and media files are stored in the cloud in data centers located in Brazil. 5. Workstation security 5.1 Antivirus Take Blip computers are installed by default with an antivirus system with management controlled by remote administration. 5.2 Software installation Take Blip employees are not allowed to install software without the knowledge of the Information Security team. There is software inventory installed. 6. WhatsApp channel 6.1 Blip and WhatsApp communication Each WhatsApp number represents a container in Blip infrastructure, each of these containers has its own encryption, just like a cell phone with an activated number. Thus, Take Blip does not have access to any text or media content, stored in each active container on the WhatsApp channel. 7. Networks 7.1 Firewall The Blip cloud operation networks have firewalls at the edges that can block the block due to the risk they pose to the platform. 7.2 Reputation of IPs IP reputation analysis is performed on each request received by the platform, so that a request can be blocked due to this condition. 7.3 Segregation of networks The production, approval and testing networks are segregated and have no communication between them. 8. By-design initiatives 8.1 Security by design During the development refinement phase, the IS team participates as security consultants, seeking to adapt each new implementation to more appropriate security standards. Whenever possible, the OWASP Threat Modeling framework is used. 8.2 Privacy by-design During the refinement phase of the development teams, the IS team conducts assessments of the impact on the privacy of the data entered in the project. Teams have the autonomy to request privacy assessments whenever necessary. 9. Awareness 9.1 Onboarding process New employees are trained by the Information Security team before starting their activities. On that occasion, the topics of the Information Security Policy (PSI) are presented. 9.2 Training Teams routinely receive training from the Information Security team on issues related to security and privacy in line with the performance of their activities. 9.3 Communication The Information Security team uses Take Blip's internal communication channels to keep all employees informed about security-related topics in order to raise awareness and to keep themselves updated about the Information Security Policy (PSI). 9.4 Information Security Committee There is an Information Security committee with the participation of people from different sectors and responsibilities on Take Blip. The objective is to conduct training with a focus on identifying security needs, for a proactive action, regarding the possible risks to security projects in internal teams. 10. Useful Links Additional information links about Blip. Blip Help Center https://help.blip.ai/ API Reference https://docs.blip.ai/ Blip Policies (Cookies - Privacy - Terms of Use) https://help.blip.ai/security/ Blip Status Page (Incident Availability and History) https://status.blip.ai/ Blip Changelog https://changelog.blip.ai 11. Contacts Take Blip's Information Security team is available for clarification through the electronic address: si@take.net Take Blip has a Data Protection Officer (DPO) to support guidance related to data privacy. Questions related to data privacy can be sent to the email address: legal@blip.ai Related articles Blip media upload policy How to use the Content Assistant How to create a bot router with 3 subbots Setting up chat support in Salesforce How to close tickets