Skip to main content

Overview

We have implemented a range of robust security practices to safeguard the confidentiality, integrity, and availability of the events being processed through our infrastructure. Here are some key security measures we have in place:

Encryption at rest

All data is encrypted at rest using AES-256 encryption. This means that even if someone were to gain access to our servers, they would not be able to read your data.

Signature verification

Signature verification is a process that ensures that the data you are receiving has not been tampered with.

When you create an endpoint as part of a pipeline, you either provide a secret or we generate one for you. This secret is used to sign the data that is sent to your endpoint. When the endpoint receives the data it can used the secret to verify that the data has not been tampered with.

The signature is calculated using the HMAC-SHA256 algorithm, is base64 encoded and is sent as a header with the request X-Simplyq-Signature. In the case of rotating secrets, the signature is calculated using all the secrets that are currently valid, and appended as a list in the header.

The content used for the hashing is the timestamp X-Simplyq-Timestamp and the body of the request, it does not include the headers. To see examples of how to verify the signature, see the endpoint's secret section page.

While we sign the data that is sent to your endpoint, we also forward any headers that were part of the original request. This means that you can verify the signature of the original request as well.

Replay protection

Replay protection helps in ensuring that a webhook is only processed once. This prevents malicious actors from replaying a webhook to your server multiple times.

This is done by including the timestamp of when the event delivery was attempted in the X-Simplyq-Timestamp header. All our client libraries will automatically verify this header and raise an error if the timestamp is older than the tolerance threshold provided (default is 5 minutes).