Custellence | Operations and Security

Version 1 – valid as of 23rd of May 2018

1. Introduction

This Security Policy document is aimed to define the security requirements for Custellence services, organization and third party vendors. Its goal is to protect the Organization and the users of Custellence to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes.

Security related incidents should be reported to: support@custellence.com

1.1. Scope

This document applies to all the employees at Custellence and any third party vendors. It includes temporary employees, consultants with temporary access to the services and partners with limited or unlimited access time to services. Compliance with policies in this document is mandatory for the aforementioned employees.

1.2. Definitions

“Personal Data”

Personal Data shall mean any information that can be related to an identified or identifiable living natural person (‘data subject’), or as otherwise defined by law, regulation or contractual agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

The terms “personally identifiable information (PII)”, “Personal Data”, “private information”, “sensitive Personal Data”, “special categories of data” and “legally protected information” are often used interchangeably to refer to information relating to individuals.

The terms “customer data” and “subscriber information” are commonly used to refer to information relating to subscribers or other end-users.

“Service map data”

Any data that the user creates within the Custellence system such as; Service maps and service map templates.

“Credit card information”

All data related to a customer credit card.

“Customer data”

Customer data is defined as all data related to the customer. In this document we have separated customer data into two parts Personal data and Service map data.

2. Organization of Information security

Top management shall set direction for, and show commitment to information security.

The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. See 6. Security Revision Schedule.

2.1. Human resource security

Custellence has a process that ensures that all Personnel with access to systems or Information that can have access to customer data have signed a Non-Disclosure Agreement (NDA) as part of their contract with Custellence.

Custellence has a staff onboarding process that includes verifying the identity of staff and the background and skill they state.

Custellence has a staff termination process that includes revoking access rights, seizing IT equipment as well as notification of continuous confidentiality obligations.

To gain access to the internal resources from remote locations, users must have the required authorization. Remote access for an employee, external user or partner can be requested only by members of the management team.

2.1.1. Roles, accountability and responsibilities

  • Chief Executive Officer
    • Accountable for all aspects of the Organization’s information security.
    • Determine the privileges and access rights to the resources within their areas.
  • Chief Technology Officer
    • Responsible for the security of the IT infrastructure.
    • Plan against security threats, vulnerabilities, and risks.
    • Implement and maintain Security Policy document.
    • Ensure IT infrastructure supports Security Policies.
    • Respond to information security incidents.
    • Help in disaster recovery plans.
  • All employees
    • Must uphold and meet requirements of Custellence Policy.
    • Report any attempted security breaches.

In consideration of being entrusted rights to use Custellence systems, repositories and information all employee must acknowledge the following:

  1. That disclosure of information that would cause harm to Custellence irrespective of the form in, or the media on, which the information is displayed or contained is considered confidential information.
  2. That employees will not, directly or indirectly, make use of information other than in the course of my their duties;
  3. That employees will keep passwords, PIN codes, etc. entrusted to them, strictly confidential;
  4. That employees will log off the computer or activate the screensaver configured with password immediately upon completion of each work session;
  5. That employees understand that his/her rights to use Custellence systems, repositories and information expire upon the termination of their work duty, or at any time upon the request by Custellence.

Custellence Password Control Policy defines the requirements for the proper and secure handling of passwords in the Organization. Strong passwords are required.

2.2. Operations security

Losses, theft, damages, tampering or other incident related to IT-assets that compromises security must be reported as soon as possible to the CTO.

2.3. Sub-contractor relationships

Any sub-contractors are subject to the same vetting as employees and are required to sign above stated NDA and intellectual property rights agreement.

Third Party Sub-Processors shall be restricted to only the necessary access, use, retention and disclosure of customer Information needed to fulfill contractual obligations.

2.4. Continuous improvements

Custellence has world class engineering practices to ensure everything we do has a security perspective. This list is an example of things we do to uphold information security.

Custellence shall implement new updates and versions of the Application, to the extent deemed suitable by Custellence.

Engineering practices:

  • Clear code conventions enforced by static code analysis
  • Use of well known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection)
  • Continuous check up to keep libraries up-to-date
  • Continuous integration builds and testing
  • All code is peer reviewed to find bugs and security holes early
  • Passwords are always kept in password safes or in deployment environment.

3. Business continuity

Custellence shall always have the right to disconnect the Application for service and upgrading without giving prior notice to the Customer.

Custellence intends to give notice on beforehand to the Customer before updates or maintenance of the Application.

4. Physical and environmental security

Custellence is a SaaS (software as a service) and therefore we host the service and data ourself.

4.1. Data Centers

Custellence is working with the best in class service provider for data storage. Service provider’s physical infrastructure is hosted and managed within Heroku’s and Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX) - As a publicly traded company in the United States, salesforce.com is audited annually and remains in compliance with the Sarbanes-Oxley (SOX) Act of 2002.

Amazon security is covered here (https://aws.amazon.com/security/)

Heroku security is covered here (https://www.heroku.com/policy/security)

4.2. Geographical locations of Custellence services

All services are hosted in Ireland.

5. Data Processing

Keeping our customers’ data secure is extremely important and we spend a lot of effort and time to ensure all data sent to Custellence is handled securely.

5.1. Data at Rest

Custellence gets powerful and automatic protection through our database provider. Database service providers are certified under the EU-U.S. Privacy Shield framework. https://www.heroku.com/policy/security

Custellence stores all personal and Service map data on AWS (an Amazon service https://aws.amazon.com/compliance/ ) See 4.2. Geographical locations of Custellence services for Geographical location.

Credit card information are stored with a Level 1 PCI compliant third party vendor. See 5.7. Payment Details for more information.

5.2. Data in Transit

Custellence uses standard SSL, ie. Encryption of data “in-transit, and are rated A+ by 3rd party vendor, SSL Labs.

Privacy and the protection of customer communications and data is of highest importance to Custellence and we both have technical and operational support in place to ensure this.

We also leverage all protection through https://www.heroku.com/policy/security.

5.3. Backups and Data Loss Prevention

Data is backed up continuously and we have an automatic failover system if the main system would fail.

5.4. User Password

We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being harmful in the case of a breach. Custellence can never see user passwords and users can only self-reset them by email.

5.5. Payment Details

Custellence use PCI compliant payment processor Stripe for encrypting and processing credit card payments.

It is impossible for employees or vendors to handle credit card information.

5.6. Access to Customer Data

Custellence staff do not access or interact with customer data as part of normal operations. There may be cases where Custellence is requested to interact with customer data at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Custellence staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time. For our privacy policy, read more in Policy on privacy and data protection.

6. Security Revision Schedule

How often Custellence conducts security revisions and conduct different types of test. If significant changes occur Custellence will initiate an otherwise planned activity to ensure continuing security.

Planned activity Frequency
Security training for personnel Yearly and at beginning of employment
Revoke system, hardware and document access At end of employment
Ensures access levels for all systems and employees are correct 2 times a year
Ensure all critical system libraries are up-to-date Continuously
Unit and integration tests to ensure system functionality and security Continuously