Risk Sources

3 main risk sources are taken care of:

• Internal individuals: Employees and Contractors
• External individuals: Providers, Competitors, Authorized Third Parties…
• Non-human sources: Viruses, Natural Disasters, Flammable Materials…

Assets

Our data is exclusively hosted on secure servers provided by Google Cloud, and we never allow data to transit on any other types of hardware. We use secured databases and password protection inside the network, and only managers and team leaders have full access to live data. Our database and gateway passwords are secured in a hard-encrypted file that is stored on a separate server and is used only once by the live server at each deployment.

Hardware

Data is exclusively hosted on secured servers, provided by Google Cloud (Google Compute Platform Infrastructure) and data does never transit on other types of hardwares (USB, CDs, mobile phones, local computers etc..).

Databases

Databases hosting our customers’ data are secured and password protected inside the network. Only managers/team leaders have full to the live data. Developers work on staging data and do not have the possibility to access live data.

Database and gateways passwords are secured in a hard-encryption file that is stored on a separate server and that is used once by live server at each deployment.

Softwares

We use a minimal number of third-party tools, such as Mongo DB and Zabbix, and each installation of new software undergoes a strict security clearance, including screening for trojans or spyware. Only users who require access to these tools have credentials and authorization to use them.

Network

Our network is exclusively web-based on Google architecture, and we have one employee assigned full-time to security management and access permissions.
Infrastructure access, such as FTP, is protected by 4 levels of restrictions:

• Google Account approval (only approved Google email IDs can access)
• 2-step authentication of the Google account.
• IP addresses : Only a set of whiltlisted IP addresses. Work from Home users have to communicate their IP address every day.
• An additional 2-step in-house authentication system using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password algorithm (HOTP).
• Measures are also in place to prevent DDoS or SQL injections.
• Our employees are trained to avoid phishing or “cloud-based” viruses (that would require them to log in to their Google account to open a file, for example)

People

• All employees and contractors are screened before hire, and they sign an NDA and are regularly reminded of the security and privacy measures and the risks and penalties related to data breaches.
• The number of users accessing customer data is strictly limited to security and management staff.
• development and support teams can impersonate users and access their contacts for troubleshooting and support purposes only.
• All activity on servers and platforms is logged and monitored, and any abnormal activity will be immediately detected and investigated.