IT & Security

Encryption 
All end-to-end communication is encrypted with industry standard 256-bit SSL connectivity. Certificate is issued annually by Let’s Encrypt / Verisign. Person-sensitive information (whistleblowing details, customer information, etc.) is stored in our cloud system and encrypted with AES-128. 

Database 
Database is built on open-source technologies MySQL and MongoDB. Encrypted database is mirrored to three separate locations in order to maintain redundancy.

Two-factor authentication
All users of the solution can have two-factor authentication activated via SMS, to ensure that no unauthorized person can access the accounts. 2FA costs nothing extra to use and is included in all setups of the whistleblowing system. 2FA can be made mandatory. 

Backup, rolling-release and maintenance 
Backups are made every hour. Encrypted backups are stored in three separate locations. New functionality, system maintenance and system updates follow the rolling-release model. The launch of new features, changes or updates does not result in downtime for the system. Changes are made in source code control, and it is arranged for roll-back if the need should arise. 

Measures for protection against data breaches 
The measures that are expected to secure against data breaches are: 

• Software maintenance 
• Update to latest versions 

Encryption, obfuscation of personal sensitive information and auto-generation of passwords means that any data that would be breached will regardless be of little use and only display non-usable/non-identifiable information. 

DDoS protection 
MittVarsel/ MyVoice protects critical infrastructure using Cloudflare, which, among other things, protects against DDoS attacks and maintains a CDN platform available for increased security and load time of the system. In case of traffic that may be perceived as suspicious, automatic routines are run to verify the traffic, such as Google reCAPTCHA. All forms and inputs are protected by Google reCAPTCHA (v2 and v3). 

Redundancy 
The system is at all times mirrored to three separate independent locations. Each location is monitored (UptimeRobot / Site24x7), and in case of deviations (such as packet loss, unavailability or error messages), automatic switching to an available location ensures maximum redundancy and uptime. 

The following are mirrored:

• Source code
• Database
• Server setup (using Docker and OS-level virtualization) 

As a result of the above measures taken to maintain redundancy, MittVarsel and other relevant systems showed 100% availability during 2019. 

API 
MittVarsel.no/ MyVoice has an internal REST API that can be used for integration with third-party systems, such as archive systems. MittVarsel.no’s API is flexible and can retrieve and pass on the necessary information in a safe and secure way.