The Building Robotics Platform: Secure by Design
Our products like Comfy are hosted on the Building Robotics platform, whose architecture is based on cutting-edge research at U.C. Berkeley into how to build secure, reliable control systems in the cloud on top of legacy infrastructure. We have combined this architecture with a host of industry best practices, including ISO27001 certified vendors, a comprehensive internal security program based on the NIST Risk Management Framework, and a world-class team of seasoned industry veterans. All of this means that we provide high levels of availability, confidentiality, and integrity to our customers.
Customers access Building Robotics' products over the internet, using industry-standard secure and encrypted connections (TLS 1.0-1.2) using high-grade 2048-bit, SHA-256 certificates. Individual user sessions are protected by unique session tokens which are verified on each transaction.
Building Robotics tests all code for security vulnerabilities and other defects before release, and regularly performs network and application scans for vulnerabilities.
- Security through Community: Building Robotics's applications are based on proven and secure open-source applications with robust security programs.
- Threat Intelligence Program: we subscribe to and regularly triage security notifications from all software components used on Building Robotics systems, and take action based on our risk and exposure.
- Secure Development (SDLC): releases are reviewed by our development team against our internal security guidelines, including the OWASP top 10 flaws and other risks as appropriate to the technology.
- Vulnerability Management Program: application servers are regularly patched against operating system and software component exploits.
- Secure Credential Storage: passwords or other credentials are never stored in cleartext but are hashed and salted according to industry best practices.
- Principle of Least Privilege: occupants and building mangers only receive authorization to the information and control they need to use the product, and no more.
- Separate Environments: separate development, staging, and production environments are used, and no customer data is present in development or staging environments.
- Dynamic Vulnerability Scanning: we use a third party service to regularly scan our application for vulnerabilities including the OWASP Top 10.
- Third-Party Penetration Testing: we conduct annual third-party penetration tests against a broad range of Building Robotics services and applications across our production network.
Physical and Environmental Security
Our service's third-party hosting provider (Amazon AWS) has extensive physical and environmental controls, including redundant power supplies, biometric identification before physical access, and other measures to ensure the security and integrity of their systems. We regularly review their ISO27001 and SOC2 reports to ensure that their security measures align with our commitments to our customers.
Network Access Controls
- Architecture: servers are separated into separate zones with different levels of exposure and risk. Our most tightly controlled assets are those which communicate with building control systems, which can be communicated only through a narrow, hardened interface.
- Access to and from the production service is limited to authorized employees accessing the network through dedicated gateway machines.
- Access to Building Robotics servers requires the use of multi-factor authentication with extensive access monitoring and audit logs.
- Communication from the Building Robotics controller to the cloud is initiated by the controller and is mutually authenticated using TLS/1.0.
- System access and logs are stored on a separate, hardened server for auditing purposes.
- Application access logs, operating systems logs, and other relevant logs are collected and analyzed based on our internal security objectives.
- Access to customer data is restricted to authorized personnel.
- Access to production severs is limited to only full-time employees based on need.
- All access is limited, logged, and tracked for auditing.
- Employees in engineering, operations, and developer roles with access to production data have background checks as a condition of employment.
- All employees are trained on information security and privacy procedures.
- At no time is any user data removed from BR-owned computers, and BR machines use appropriate technical measures, including full-disk encryption and VPN access, to ensure that user data remain secure.
- We take our supplier relationships seriously and carefully check that they do not disclose data, except as required by law. Our servers are maintained by a SOC2-certified service provider.
Service Availability Controls
- Robust Infrastructure: our service is hosted within the Amazon AWS cloud, which provides extremely high levels of reliability. Our system is designed to allow us to quickly re-provision failing nodes, or to add additional capacity to meet increased load.
- Durability: our backup system transfers near-real-time application updates to an extremely durable (99.999999999%) backing store. Backups are never sent out of the United States. Integrity of backups are tested quarterly by restoring a complete backup to test systems and verifying the data. Our production backup buckets are replicated to a geographically separate region.
- Performance Monitoring: every component of the system sends telemetry to our centralized monitoring system, allowing us to track availability and service quality.
- Configuration as Code: all system and application configurations are stored in our configuration management system, tested in staging environment before deployment, and are treated as code subject to expert review before being moved into production.
- Disaster Recovery: Our infrastructure is redundant to many different faults. In addition, our backup and deployment system means that we can migrate to a secondary site if required; Building Robotics has defined a targeted return time objective (RTO) and recovery point objective (RPO) for this service.