Global WatchGlobal Watch Docs
Compliance

Security

Security

Global Watch implements multiple layers of security to protect your forest management data. This document outlines our security architecture, practices, and the measures we take to ensure your data remains safe.

Security Architecture

Defense in Depth

Global Watch employs a defense-in-depth strategy with multiple security layers:

┌─────────────────────────────────────────────────────────────┐
│                    Application Layer                         │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │ Input       │  │ Session     │  │ Rate Limiting       │  │
│  │ Validation  │  │ Management  │  │ & Throttling        │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
├─────────────────────────────────────────────────────────────┤
│                    Data Layer                                │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │ Row-Level   │  │ Encryption  │  │ Access Control      │  │
│  │ Security    │  │ (AES-256)   │  │ Lists               │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
├─────────────────────────────────────────────────────────────┤
│                    Infrastructure Layer                      │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
│  │ Firewall    │  │ DDoS        │  │ Network             │  │
│  │ Protection  │  │ Mitigation  │  │ Isolation           │  │
│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
└─────────────────────────────────────────────────────────────┘

Authentication Security

Password Security

Global Watch implements robust password security:

  • Hashing: Passwords are hashed using bcrypt with appropriate cost factors
  • Complexity Requirements: Minimum 8 characters with mixed character types
  • Breach Detection: Passwords checked against known breach databases
  • Secure Reset: Time-limited, single-use password reset tokens

Multi-Factor Authentication (MFA)

Optional MFA provides an additional security layer:

  • TOTP Support: Time-based one-time passwords (Google Authenticator, Authy)
  • Recovery Codes: Secure backup codes for account recovery
  • Enforcement Options: Organization-wide MFA enforcement available

Session Management

Secure session handling protects user accounts:

  • Secure Cookies: HTTP-only, secure, SameSite cookies
  • Session Expiration: Configurable session timeouts
  • Concurrent Sessions: Visibility and control over active sessions
  • Session Revocation: Ability to terminate sessions remotely

Authorization & Access Control

Role-Based Access Control (RBAC)

Global Watch implements granular RBAC:

RoleDescriptionPermissions
OwnerFull account controlAll permissions
AdminAdministrative accessManage members, settings, billing
EditorContent managementCreate, edit, delete projects and assets
ViewerRead-only accessView projects and assets

Permission System

Fine-grained permissions control access:

// Example permission structure
{
  "projects.read": true,
  "projects.write": true,
  "projects.delete": false,
  "assets.manage": true,
  "members.invite": true,
  "billing.manage": false
}

Row-Level Security (RLS)

Database-level security ensures data isolation:

  • Tenant Isolation: Each organization's data is completely isolated
  • User-Level Access: Users only see data they're authorized to access
  • Policy Enforcement: Security policies enforced at the database level
  • No Bypass: Even application bugs cannot expose unauthorized data

Data Encryption

Encryption at Rest

All stored data is encrypted:

  • Algorithm: AES-256 encryption
  • Key Management: Keys stored in secure key management service
  • Key Rotation: Regular automatic key rotation
  • Backup Encryption: All backups are encrypted

Encryption in Transit

All data transmission is encrypted:

  • Protocol: TLS 1.3 (minimum TLS 1.2)
  • Certificate Management: Automated certificate renewal
  • HSTS: HTTP Strict Transport Security enabled
  • Certificate Pinning: Available for mobile applications

Field-Level Encryption

Sensitive fields receive additional encryption:

  • API Keys: Encrypted before storage
  • Personal Data: Additional encryption for PII
  • Geolocation Data: Protected coordinate data

Infrastructure Security

Cloud Security

Global Watch runs on enterprise-grade cloud infrastructure:

  • Provider: SOC 2 Type II certified cloud providers
  • Isolation: Virtual private cloud (VPC) isolation
  • Monitoring: 24/7 infrastructure monitoring
  • Patching: Automated security patching

Network Security

Multiple layers of network protection:

  • Firewall: Web Application Firewall (WAF) protection
  • DDoS Protection: Automatic DDoS mitigation
  • IP Filtering: Optional IP allowlisting for enterprise
  • Private Endpoints: VPC peering available for enterprise

Container Security

Application containers are secured:

  • Image Scanning: Automated vulnerability scanning
  • Minimal Images: Distroless base images
  • Runtime Protection: Container runtime security
  • Secrets Management: Secure secrets injection

Application Security

Input Validation

All user input is validated:

  • Schema Validation: Zod schemas for all inputs
  • Sanitization: HTML and SQL injection prevention
  • File Validation: Secure file upload handling
  • Size Limits: Request size limits enforced

API Security

API endpoints are protected:

  • Authentication: Bearer token authentication
  • Rate Limiting: Per-user and per-IP rate limits
  • Request Signing: Optional request signing for sensitive operations
  • Audit Logging: All API calls are logged

Dependency Security

Third-party dependencies are managed:

  • Vulnerability Scanning: Automated dependency scanning
  • Update Policy: Regular dependency updates
  • License Compliance: Open source license tracking
  • Supply Chain: Verified package sources

Security Monitoring

Threat Detection

Continuous monitoring for security threats:

  • Anomaly Detection: Machine learning-based anomaly detection
  • Failed Login Monitoring: Brute force attack detection
  • Suspicious Activity: Unusual access pattern alerts
  • Real-time Alerts: Immediate notification of threats

Security Logging

Comprehensive security event logging:

  • Authentication Events: Login attempts, MFA events
  • Authorization Events: Permission changes, access denials
  • Data Events: Sensitive data access logging
  • Admin Events: Administrative action logging

Incident Response

Prepared incident response procedures:

  1. Detection: Automated threat detection
  2. Triage: Severity assessment
  3. Containment: Threat isolation
  4. Eradication: Threat removal
  5. Recovery: Service restoration
  6. Lessons Learned: Post-incident review

Vulnerability Management

Security Testing

Regular security assessments:

  • Penetration Testing: Annual third-party penetration tests
  • Vulnerability Scanning: Weekly automated scans
  • Code Review: Security-focused code reviews
  • Bug Bounty: Responsible disclosure program

Patch Management

Timely security updates:

SeverityResponse Time
CriticalWithin 24 hours
HighWithin 72 hours
MediumWithin 1 week
LowNext release cycle

Security Best Practices

For Users

Recommendations for account security:

Security Checklist

  • Enable Multi-Factor Authentication (MFA)
  • Use a strong, unique password
  • Review active sessions regularly
  • Keep recovery codes secure
  • Report suspicious activity immediately

For Administrators

Recommendations for organization security:

  • Enforce MFA: Require MFA for all team members
  • Review Permissions: Regular permission audits
  • Monitor Activity: Review audit logs regularly
  • Offboarding: Promptly remove departed members
  • API Key Rotation: Regular API key rotation

Compliance Certifications

Global Watch maintains security certifications:

CertificationStatusDescription
SOC 2 Type II🔄 In ProgressService organization controls
ISO 27001🔄 In ProgressInformation security management
ISO 9001🔄 In ProgressQuality management system
GDPR✅ CompliantEU data protection
LGPD✅ CompliantBrazil data protection
PDPL✅ CompliantUAE data protection

ISO 27001 Annex A Controls

Global Watch implements comprehensive security controls aligned with ISO 27001:

Control AreaCoverageStatus
A.5 - Information Security Policies100%
A.6 - Organization90%
A.9 - Access Control95%
A.10 - Cryptography100%
A.12 - Operations Security90%
A.13 - Communications Security95%
A.14 - System Development90%
A.16 - Incident Management85%

Overall Compliance: 85% of ISO 27001 Annex A controls implemented

Security Contact

Report security vulnerabilities:

  • Email: security@global.watch
  • PGP Key: Available on request
  • Response: Within 24 hours
  • Bug Bounty: Rewards for valid reports

Compliance & Security

Enterprise-grade security, compliance, and data protection for forest management

Data Protection

Privacy policies, GDPR compliance, and data protection measures

On this page

SecuritySecurity ArchitectureDefense in DepthAuthentication SecurityPassword SecurityMulti-Factor Authentication (MFA)Session ManagementAuthorization & Access ControlRole-Based Access Control (RBAC)Permission SystemRow-Level Security (RLS)Data EncryptionEncryption at RestEncryption in TransitField-Level EncryptionInfrastructure SecurityCloud SecurityNetwork SecurityContainer SecurityApplication SecurityInput ValidationAPI SecurityDependency SecuritySecurity MonitoringThreat DetectionSecurity LoggingIncident ResponseVulnerability ManagementSecurity TestingPatch ManagementSecurity Best PracticesFor UsersFor AdministratorsCompliance CertificationsISO 27001 Annex A ControlsSecurity ContactRelated Documentation