Blockdaemon Security FAQ

Follow

Blockdaemon Security FAQs

Blockdaemon Service Overview

  1. A. BLOCKDAEMON BUSINESS & CONTACT INFORMATION

Name: Blockdaemon

Headquarters: 6060 Center Drive, 10th Floor, Los Angeles, CA 90045

  1. COMPANY PROFILE

Corporate Information: Blockdaemon is a blockchain deployment facilitator that manages nodes and payment rails for blockchain networks.

Privacy Policy: https://blockdaemon.com/privacy-policy/

Total Number of Employees: 37

Website URL: https://blockdaemon.com/

URLs: Blockdaemon.com

  1. SERVICE SCOPE & TECHNOLOGY
  • Name of solution or service being provided: 

Node Infrastructure as a Service (IaaS).

  • Services offered: 

Blockdaemon’s Blockchain node deployment and management platform includes staking support and running validator(s) for the world’s most popular blockchain platforms. These include but are not limited to Ethereum 2.0, Polkadot, Cosmos, and Solana. Blockdaemon supports multiple other blockchain platforms which are all available to browse on our Marketplace

  • What technology languages/platforms/stacks/components are utilized in the scope of Blockdaemon’s services?

Go, Terraform, Ansible, K8s, Javascript, AWS, GCP, Azure, Docker 

  1. SERVICE HOSTING
  • Are Blockdaemon’s Services run from (a) its own data center, (b) the cloud or (c) deployed-on premise only? 

Blockdaemon deploys nodes from a suite of Cloud and Dedicated servers distributed across the globe to achieve diversification and resiliency of the network.

  • What are the data center location(s) relative to services provided?: 

Data center locations are specific to the Customer’s Bare Metal preferences and prevailing availability; the exhaustive list of data centers utilized by Blockdaemon is considered privileged information, but specific Customer inquiries can be directed to the relevant Blockdaemon personnel. 

  • Which cloud providers does Blockdaemon rely on? 

AWS, GCP (Google Cloud), Azure

  • Has Blockdaemon reviewed and performed due diligence regarding cloud provider best security practices? 

Yes.

  • In which data centers/countries/regions is Blockdaemon deployed? 

Blockdaemon deploys nodes from a suite of Cloud and Dedicated servers distributed across the globe to achieve diversification and resiliency of the network. Upon request, Customers have the option of geofencing the services provided by Blockdaemon to a specific country/region. 

 

2. BLOCKDAEMON PRIVACY PRACTICES

  1. DATA REQUIRED TO PERFORM THE SERVICES 
  • Describe all types of Customer Data that will be required in connection with the Blockdaemon’s service, including any personal Information, financial data, sensitive data, confidential data, etc.: 

Blockdaemon does not collect any PII, outside of minimal contact information (email addresses, phone numbers) of key contacts in our CRM tool (Salesforce).

  • List all types of individuals (e.g., customers, end-users, employees etc.) whose Personal Information will be processed: 

Blockdaemon doesn’t process personal information.

  • List any known location(s) (country, region) of customers/end-users whose Personal Information will be processed:.

Blockdaemon doesn’t process personal information.

  1. POLICIES & PROCEDURES 
  • Does Blockdaemon rely on third parties (“Sub-processors”) that will process personal Information to provide its service?

No. 

  • Does Blockdaemon require all Sub-processors to complete a privacy and/or security due diligence questionnaire prior to engagement?

N/A.

  • Does Blockdaemon systematically review and negotiate data processing or similar protection agreements with all Sub-processors? 

N/A.

  • Does Blockdaemon have a process in place to track data processing or similar protection agreements with Sub-processors? 

N/A.

  • Does Blockdaemon maintain internal policies regarding data retention and/or individual rights?

Yes, documentation available upon request.

  • Describe any training procedures for employees or contractors who handle personal Information. 

All employees receive mandatory security awareness training, across a range of different security topics which is regularly refreshed. 

 

  1. COMPLIANCE WITH DATA PROTECTION LAWS 
  • Has Blockdaemon assessed its compliance with applicable data protection laws? If so, please list the steps that have been taken to perform any such assessments. 

Blockdaemon is in compliance with the applicable data protection laws within the jurisdictions in which we operate. Policies and procedures can be provided, upon request.

  • Has Blockdaemon been subject to any regulatory investigations or audits? 

No.

  • To the extent that any applicable data protection laws provide for individual rights, including but not limited to access or deletion rights, how does Blockdaemon address and/or respond to individual requests? 

We hold minimal personal data and will be done in line with all legal and regulatory requirements within the jurisdictions in which it implies.

 

3. BLOCKDAEMON SECURITY PRACTICES & CONTROLS

  1. POLICIES & PROCEDURES 
  • Does Blockdaemon have a documented information security policy? 

Yes.

  • What is the time interval at which security policies are reviewed and updated? 

At least annually and after significant change.

  • Who is responsible for security policy development, maintenance, and issuance? 

Mehmet Osman, Chief Information Security Officer.

  • Are all security policies and standards readily available to all users (e.g., posted on company intranet)? 

Yes.

  • Is a complete set of Blockdaemon’s security policies available for review? 

Yes.

  • Does Blockdaemon maintain internal policies regarding data retention and/or individual rights? 

Yes.

  • Describe any training procedures for employees or contractors who handle personal Information. 

All employees receive mandatory security awareness training, across a range of different security topics which is regularly refreshed.

  1. SECURITY CONTROL ASSESSMENT
  • Have security-related job responsibilities, including oversight and accountability, been clearly defined and documented? 

Yes.

  • Have the security policies, standards, and procedures been reviewed and evaluated by a qualified third party? 

Yes.

  • Has the security perimeter infrastructure been assessed and reviewed by a qualified third party? 

Yes.

  • Do your third-party contracts (including Sub-processer agreements) contain language describing responsibilities regarding information protection requirements? 

N/A.

  • Describe the process by which any third parties (including Sub-processors) are granted access to Customer Data. 

N/A.

  1. ASSET CLASSIFICATION
  • Does Blockdaemon maintain an inventory of all important and critical information assets with asset owners clearly identified? 

Yes.

 

  1. PERSONNEL SECURITY
  • Do terms and conditions of employment clearly define information security requirements, including non-disclosure provisions for separated/terminated employees and contractors? 

Yes.

  • Describe the screening process for all users (employees, contractors, and third parties) with access to Customer Data. 

All employees and contractors are subject to employment pre-screening/background checks (specific documentation can be provided upon request).

  • Describe your hiring process and how a new employee is granted access to network resources. 

Blockdaemon operates a least privileged access control method, employees are only granted access needed in order to execute their roles and nothing more.

  • Describe the process by which a non-employee (e.g., contractor, customer, Sub-processor) is granted access to network resources. 

As above, contractors found through 3rd party recruitment services are subject to additional security screening

  • How many users will have privileged access to systems containing Customer Data? 

Blockdaemon operates a least privileged access control method, employees are only granted access needed in order to execute their roles and nothing more.

  • Does Blockdaemon conduct formal information security awareness training for all users, including upper management? 

Yes.

  • Does Blockdaemon require additional training for system administrators, developers, and other users with privileged access? 

Yes.

  • Are all users required to sign a confidentiality agreement? 

Yes.

  • Does Blockdaemon have a BYOD policy? Please provide or describe how Customer Data is segregated and protected. 

N/A. We do not operate a BYOD System

  1. PHYSICAL AND ENVIRONMENTAL SECURITY
  • Describe the physical security mechanisms that prevent unauthorized access to Blockdaemon office space(s), user workstations and server rooms/data centers. 

N/A, Blockdaemon’s physical operating model is globally distributed.

  • Are all critical information assets located in a physically secure area? 

Yes.

  • How does Blockdaemon protect systems from environmental hazards such as fire, earthquake, smoke, water, vibration, electrical supply interfaces, and dust? 

We utilize resilient cloud services therefore these considerations are not applicable. 

  • What type of fire suppression systems are installed in Blockdaemon’s data centers (pre-action, mist, wet, clean agent, etc.)? 

N/A

  • What physical access restrictions has Blockdaemon put in place? 

N/A

  • How are contractors access granted to secure locations?  

N/A

  • What exterior security is provided (i.e. gates, secure vehicle access, security cameras, etc.)? 

N/A

  • Is there a specific natural disaster risk where Customer Data is processed? 

N/A

  • If so, what means of business continuity and disaster recovery are employed to mitigate (please see Section J below for further questions)? 

N/A

  • Describe Blockdaemon’s facilities system maintenance process. 

N/A

  • Does Blockdaemon have a formal media destruction policy? 

N/A

  • Does Blockdaemon have automatic locking screen savers when users’ workstations remain idle after a set period of time? If so, please describe. 

Yes. Remote workforce not operating in a shared space who are also required to implement screen lock time out after 5 minutes (auditable requirement).

  • How is the removal of equipment from the premises authorized and controlled? 

Robust policies and agreements in place for the end-to-end lifecycle of equipment distribution and management. We are imminently rolling out JAMF Pro as our MDM solution.

  • Are logs maintained that record all changes to information systems? 

Yes.

  1. COMMUNICATIONS & OPERATIONS MANAGEMENT
  • Describe how you segregate duties to ensure a secure environment. 

Our engineers are designated duties that are explicitly restricted to the information that they need to know. All production secrets are used by service accounts, which means that an engineer never needs access to production environments directly, nor the respective secrets required for deployment.

  • Describe how changes are deployed into the production environment. 

We have an established change management process which our engineers strictly adhere to.

  • Who manages/maintains your data center? If Blockdaemon uses a third-party contractor to maintain your systems, describe the vetting process by which that contractor was selected (see above). 

Our third party vendors are vetted by first studying their documentation, including stipulations regarding SLAs about security, disaster recovery, data governance, availability and where appropriate, certifications. The subsequent action is to then speak with a business representative and technical advisor to highlight and resolve any issues not covered for our use-case.

  • How does Blockdaemon protect its systems against newly-discovered vulnerabilities and threats? 

All threats and vulnerabilities are assessed and prioritized in accordance with Severity and addressed accordingly.

  • Does Blockdaemon scan traffic coming into the network for viruses? 

All endpoints have antivirus software and deployment of JAMF Protect to all users in the company is imminent.  We do not operate a traditional client server/network infrastructure. 

  • How does Blockdaemon protect the confidentiality and integrity of all data between Blockdaemon and its Customers? 

Blockdaemon employs SSH TLS encryption to protect the confidentiality and integrity of its data.

  • How does Blockdaemon dispose of computer media when they are no longer of use? 

N/A

  • How is system documentation (network diagrams, run books, configuration guides, etc.) secured from unauthorized access? 

System documentation is subject to access control on a least privileged, need-to-know basis.  

  • Are backup procedures documented and monitored to ensure they are properly followed? 

Yes

  • Describe the process by which software malfunctions are reported and handled. 

Blockdaemon employs a cadre of engineers who monitor the performance and health of its software systems 24/7 in a follow-the-sun protocol.  When issues are identified, the relevant employee will alert team members and senior management, document the issue in a Jira ticket and begin to resolve the issue in accordance with documented runbook procedures.

  • What processes and standards do you follow for incident management, problem management, change management, and configuration management?

Blockdaemon adheres to documented incident, change and configuration management policies 

  • Please describe the technical platform that supports the monitoring, maintenance and support processes (both hardware and software platforms). 

Blockdaemon utilizes a diverse suite of platforms to assist in the monitoring, maintenance and support processes of our systems.  Platforms utilized are contingent on the services being provided

  1. ACCESS CONTROL
  • Describe your account and password restrictions for internally facing applications. 

Blockdaemon employs a complex password composition requirement, coupled with multi-factor authentication.

  • Describe your account and password restrictions for externally facing applications. 

Blockdaemon employs a complex password composition requirement, coupled with multi-factor authentication.

  • Describe your authentication methods used to authenticate users and or third parties via external connections. 

Blockdaemon utilizes SSH authentication to authenticate users.

  • Do you conduct periodic checks on users’ accesses to ensure their access matches their responsibilities? 

Yes.

  • Describe how you segment your network (i.e. security zones, DMZs, etc). 

N/A

  • Do you enable any remote administration capabilities on your servers and network devices? If so, which protocol(s) do you use? 

Neither customers nor non-production critical staff are provided remote administrative capabilities to our servers or network devices. 

  • Describe any controls which are used to monitor and record system and application access. 

We use Single Sign on via our GSuite account for system access auditing and SSH CA with assigned IDs to monitor  our applications access

  • Do workstations or production servers currently utilize any type of Host Intrusion Prevention or Detection software? 

Yes.

  • To what extent are user’s system use logged and monitored? 

As required given sensitivity of information.

  • Are failed login attempts recorded and reviewed on a regular basis? 

Yes.

  1. DEVELOPMENT & MAINTENANCE
  • What tools and technologies do you utilize to effectively manage the development lifecycle? 

Jira and Confluence are used to track, manage and document changes; Gitlab Enterprise is used to manage the source code.

  • Do you use data sets containing personal information from actual people when testing an application? If so, what measures do you take to protect that information? 

No.

  • Are your test systems secured in the same manner as your production systems? 

Yes.

  • Describe how you protect your application source libraries.

Our application source libraries are checked as an integral part of our SDLC pipeline using both DAST and SAST technologies

  • Do security specialists conduct technical reviews of application designs? 

Yes.

  • Are security professionals involved in the testing phase of an application? 

Security policies are defined by our Security manager and our SecDevOps pipeline ensures end-to-end security from code commit to asset deployment

  • Describe how you protect your applications from covert channels and Trojan code. 

We operate through the GitHub DevSecOps model and facility ensuring that all appropriate steps, including Static Application Security Test, Dynamic Application Security Test, Infrastructure Scanning and Compliance Checks are conducted.

  • Have Blockdaemon’s developers been trained in secure coding techniques? 

Yes. 

  • Does Blockdaemon assess the risks around messaging to determine if message authentication is required? 

Yes

  1. INFORMATION SECURITY INCIDENT MANAGEMENT
  • Has a dedicated incident response team (“Incident Response Team”) been established? 

Yes

  • Has the Incident Response Team been trained in evidence gathering and handling? 

Yes

  • Are incident reports issued to appropriate management? 

Yes

  • After an incident, are policies and procedures reviewed to determine if modifications need to be implemented? 

Yes

  1. BUSINESS CONTINUITY MANAGEMENT / DISASTER RECOVERY PLAN
  • Has an organizational disaster recovery plan (“Disaster Recovery Plan”) coordinator been named and a mission statement identifying scope and responsibilities been published? 

Yes

  • Has a "worst-case" scenario to recover normal operations within a prescribed timeframe been implemented and tested? 

Yes

  • Has a listing of current emergency telephone numbers for police, fire department, medical aid and company officials been strategically located throughout all facilities and at off-site locations? 

Yes 

  • Is the backup site remote from hazards that endanger the main data center? 

Yes

  • Have contracts for outsourced activities been amended to include Sub-processor or other service provider responsibilities for disaster recovery planning? 

N/A

  • Have lead times for communication lines and equipment, specialized devices, power connectors, construction, firewalls and computer configurations have been factored into Blockdaemon’s disaster recovery plan? 

Yes

  • If a Disaster Recovery Plan is in place, is at least one copy of the Disaster Recovery Plan stored at the backup site and updated regularly? 

Yes

  • Are automatic restart and recovery procedures in place to restore data files in the event of a processing failure? 

In the rare cases where a particular service needs to be handled with supervision via a run-book for reasons of financial risk, our systems are deployed in a self-healing manner, using orchestrated tools such as k8s and where appropriate, cloud-init and system level software on restarts

  • Are contingency arrangements in place for hardware, software, communications and staff? 

Yes

  1. COMPLIANCE
  • Are Blockdaemon’s security policies and procedures routinely tested? 

Yes

  • Are audit logs or other reporting mechanisms in place on all platforms? 

Yes

  • When an employee is found to be in non-compliance with the security policies, what action is taken? 

Education and potential disciplinary actions, including the prospect of termination or legal action. 

  • Are audits performed on a regular basis? 

Yes

  • Are unscheduled audits performed? 

Yes

  • Has a team been identified as responsible for managing audit results? 

Yes

  • How often does Blockdaemon conduct penetration testing? 

At least annually, more frequently for critical systems or in light of threat intelligence. 

  • Are penetration tests carried out by an independent third party? 

Yes

  • Does the penetration test follow an industry approved methodology? 

Yes

  • If Blockdaemon accepts, processes, stores or transmits payment/credit card information, does it comply with Payment Card Industry Data Security Standard (PCI DSS)? 

Yes

 

1 out of 1 found this helpful

Comments

1 comment
  • I think that Blockdaemon is READY to enter the hot topic in the media and become the choice of the "GO TO" node's. Simple, fresh and the perfect recipe for the wallet.

    1
    Comment actions Permalink

Please sign in to leave a comment.