Security
This document serves as a place to outline our security practices and details. If a potential customer (or auditor) needs information about our security at Holder, this should be the first place we pull information from. It should be kept up to date as much as possible every time we modify or improve our security.
Services
UI
Our UI/application is secured with Google's Firebase Auth using JWT verification (see more below). We have a few public endpoints for form collection of customer information, but that is secured using Rainbow Kit to connect a wallet (and will soon utilize Sign-In With Ethereum with the Firebase JWTs).
API
Our API is secured with Google's Firebase Auth using JWT verification (see more below). We have a few public query endpoints for display only information about a given Holder account (no customer information).
Data Collection
Our Data Collection API is an internal only API that is secured via an x-api-key
header stored as a secure variable during our deployment process with Cloud Run.
Transfers
Our Transfers API is deployed behind a VPC connector and is limited to internal traffic only. It is primarily meant to pull messages off of a PubSub topic to be processed. It has a few REST endpoints that are protected by an x-api-key
header.
Workflow Automation
Our Workflow Automation API is deployed behind a VPC connector and is limited to internal traffic only. It is primarily meant to process messages being pushed to it from a PubSub topic. It is using the Google Cloud Functions Framework package to handle the networking configuration.
Discord
Infrastructure
Cloud Run
Our services are all deployed using Google's Cloud Run deployment. It puts every endpoint behind a load balancer that secures them via https
/TLS
, which encrypts traffic in transit.
Neo4j AuraDB
Encryption at rest and in transit
Daily backups (with 7 day retention)
Redis Memorystore
This is a managed service in GCP. It is deployed behind a VPC connector and is limited to internal traffic only.
Firebase Authentication
Deploying Services
We are using Google Cloud Run to deploy our services from Docker containers
GitHub
Our GitHub repositories are private and not currently available to the public.
Cloud Storage
We have a Google Cloud Storage bucket that is marked as "public" for uploading images for our Email Builder.
Secret Manager
We store all of our API keys, passwords, and secrets in a Secret Manager secret that gets injected into every Cloud Run service we deploy.
Integrations
Intercom
XMTP
Last updated