Operations and security policy
1. Introduction
This Security Policy document is aimed to define the security requirements for Custellence services, organization and third party vendors. Its goal is to protect the Organization and the users of Custellence to the maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and business outcomes.
Security related incidents should be reported to: [email protected]
1.1. Scope
This document applies to all the employees at Custellence and any third party vendors. It includes temporary employees, consultants with temporary access to the services and partners with limited or unlimited access time to services. Compliance with policies in this document is mandatory for the aforementioned employees.
1.2. Definitions
“Personal data”
Personal data shall mean any information that can be related to an identified or identifiable living natural person (‘data subject’), or as otherwise defined by law, regulation or contractual agreement. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
The terms “personally identifiable information (PII)”, “Personal data”, “private information”, “sensitive Personal data”, “special categories of data” and “legally protected information” are often used interchangeably to refer to information relating to individuals.
The terms “customer data” and “subscriber information” are commonly used to refer to information relating to subscribers or other end-users.
“Service map data”
Any data that the user creates within the Custellence system such as; Service maps and service map templates.
“Credit card information”
All data related to a customer credit card.
“Customer data”
Customer data is defined as all data related to the customer. In this document we have separated customer data into two parts: Personal data and Service map data.
“Custellence data”
Refers to all data processed by Custellence, including all the definitions above.
2. Organization of Information security
Top management shall set direction for, and show commitment to information security.
The information security policy shall be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy and effectiveness. See 6. Security Revision Schedule.
2.1. Human resource security
Custellence has a process that ensures that all Personnel with access to systems or Information that can have access to customer data have signed a Non-Disclosure Agreement (NDA) as part of their contract with Custellence.
Custellence has a staff onboarding process that includes verifying the identity of staff and the background and skill they state.
Custellence has a staff termination process that includes revoking access rights, seizing IT equipment as well as notification of continuous confidentiality obligations.
To gain access to the internal resources from remote locations, users must have the required authorization. Remote access for an employee, external user or partner can be requested only by members of the management team.
2.1.1. Roles, accountability and responsibilities
- Chief Executive Officer
- Accountable for all aspects of the Organization’s information security.
- Chief Information Security Officer
- Determine the privileges and access rights to the resources within their areas.
- Responsible for the security of the IT infrastructure.
- Plan against security threats, vulnerabilities, and risks.
- Implement and maintain the Security Policy and other security documents.
- Ensure IT infrastructure supports Security Policies.
- Respond to information security incidents.
- Chief Technology Officer
- Help in disaster recovery plans.
- All employees
- Must uphold and meet requirements of Custellence Policy.
- Report any attempted security breaches.
- Report any detected vulnerabilities
In consideration of being entrusted rights to use Custellence systems, repositories and information all employee must acknowledge the following:
- That disclosure of information that would cause harm to Custellence irrespective of the form in, or the media on, which the information is displayed or contained is considered confidential information;
- That employees will not, directly or indirectly, make use of Custellence data other than in the course of their duties;
- That employees will keep passwords, PIN codes, etc. entrusted to them, strictly confidential;
- That employees will log off the computer or activate the screensaver configured with password immediately upon leaving their workstation;
- That employees understand that his/her rights to use Custellence systems, repositories and information expire upon the termination of their work duty, or at any time upon the request by Custellence.
Custellence Password Control Policy defines the requirements for the proper and secure handling of passwords in the Organization. Strong passwords are required.
2.2. Operations security
Losses, theft, damages, tampering or other incidents related to IT-assets that compromises security must be reported as soon as possible to the CISO.
2.3. Sub-contractor relationships and compliance
We have standard contractual clauses with all our sub-processors to regulate data protection. These agreements are available to receive upon request to [email protected].
Third Party Sub-Processors shall be restricted to only the necessary access, use, retention and disclosure of customer Information needed to fulfill contractual obligations.
A list of our sub-processors can be found here .
2.4. Continuous improvements
Custellence has state of the art engineering practices to ensure that everything we do has a security perspective. This list is an example of things we do to uphold information security.
Custellence shall implement new updates and versions of the Application, to the extent deemed suitable by Custellence.
Engineering practices:
- Clear code conventions enforced by static code analysis
- Adherence to OWASP Secure Coding Pracitces
- Use of well known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection)
- Continuous check up to keep libraries up-to-date
- Continuous integration builds and testing
- All code is peer reviewed to find bugs and security holes early
- Passwords are always kept in password safes or in deployment environment.
3. Business continuity
Custellence has a Disaster Recovery Business Continuity Plan that is routinely tested to maximize availability.
4. Physical and environmental security
Custellence makes use of external platform providers and therefore does not host the service or any data ourselves.
4.1. Data centers
Custellence is working with the best in class service provider for data storage. Service provider’s physical infrastructure is hosted and managed within Heroku’s and Amazon’s secure data centers and utilises Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.
Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Amazon security policies are covered here (https://aws.amazon.com/legal/)
Heroku security is covered here (https://www.heroku.com/policy/security)
4.2. Geographical locations of Custellence services
Services are hosted in Ireland, Sweden and the United States.
5. Data processing
Keeping our customers’ data secure is highly important and we spend a lot of effort and time to ensure all data sent to Custellence is handled securely.
5.1. Data at rest
Customer data is encrypted at rest with AES-256 block-level storage encryption.
Custellence gets powerful and automatic protection through our database provider. Database service providers are certified under the SOC, PCI and ISO 27001/27017/27018. More details is covered here
Custellence stores all personal and Service map data on AWS (an Amazon service https://aws.amazon.com/compliance/ ) See 4.2. Geographical locations of Custellence services for Geographical location.
Credit card information is stored with a PCI DSS Level 1 compliant third party vendor. See 5.5. Payment Details for more information.
5.2. Data in transit
Custellence uses standard TLS, ie. Encryption of data “in-transit, and are rated A by 3rd party vendor, SSL Labs.
Privacy and the protection of customer communications and data is of highest importance to Custellence and we have both technical and operational support in place to ensure this.
We also leverage all protection through https://www.heroku.com/policy/security.
5.3. Backups and data loss prevention
Data is backed up continuously and we have an automatic failover system if the main system would fail.
5.4. User password
We encrypt (hashed and salted) passwords using the Bcrypt algorithm to protect them from being harmful in the case of a breach. Custellence can never see user passwords and users can only self-reset them by email.
5.5. Payment details
Custellence uses PCI DSS Level 1 compliant payment processor Stripe for encrypting and processing credit card payments.
It is impossible for employees or vendors to access credit card information.
5.6. Access to customer data
Custellence staff do not access or interact with customer data as part of normal operations. There may be cases where Custellence is requested to interact with customer data at the request of the customer for support purposes or where required by law. Customer data is access controlled and all access by Custellence staff is accompanied by customer approval or government mandate, reason for access, actions taken by staff, and support start and end time. For our privacy policy, read more in the policy on privacy and data protection.
6. Security revision schedule
How often Custellence conducts security revisions and conducts different types of tests. If significant changes occur Custellence will initiate an otherwise planned activity to ensure continuing security.
Planned activity:
- Security training for personnel
- Revoke system, hardware and document access
- Ensures access levels for all systems and employees are correct
- Ensure all critical system libraries are up-to-date
- Unit and integration tests to ensure system functionality and security
- Security documentation review
Frequency:
- Monthly and at beginning of employment
- Continuously and at end of employment
- 2 times a year
- Continuously
- Continuously
- Yearly
Version 4 – Valid as of 18th of July 2022