Security and Compliance
We know your data containing your risks, compliance, health and safety, internal audits, incidents are extremely important to you and your business, and we take protecting them seriously. After all we also host the same information in our Protecht.ERM platform. That is why all our communications are secured using HTTPS and your data is encrypted at rest.
Our Infrastructure uses trusted providers that are aligned to security best practices ensuring data is protected at all times and only accessible by who you want. Our Data Centres use the latest cloud technologies providing a highly scalable and resilient platform that enables customers to access their data when they needed.
Protecht encrypts all communication between customers and our data centres through strong encryption. All login and post-login web pages in Protecht are served over TLS, a successor to SSL. We encrypt all data at rest using AES-256 encryption. Protecht protects its system infrastructure by using dedicated firewall and network services to block unauthorized system access.
Tight access control systems are enforced. Protecht employees are not able to access customer data unless specifically required to do so for support reasons.
Protecht is ISO 27001 certified. ISO is an information security standard published by the International Organization for Standardization, the world’s largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). This certification was issued by an independent and accredited certification body based on successful completion of a formal audit process.
Protecht complies with the General Data Protection Regulation regarding processing of personal data of people in the European Union
ERM Security features
Single Sign-On (SSO) support
SSO solutions such as Active Directory Federated Services (ADFS) via SAML are supported. Other SAML-compliant providers are also supported, including Google (SAML), Okta, Azure, and Vanguard.
Two-factor authentication can be configured using a SAML-based identity provider. The two-factor authentication is the responsibility of the authentication provider rather than Protecht.ERM.
Native two-factor authentication will be introduced in Protecht.ERM version 8.4.
Clients can request that only designated IP addresses or IP ranges can have access to their site.
Encryption of data at rest
Databases and backups are encrypted at rest using AES-256 cipher.
Encryption of data in transit
Data in transit is protected by HTTPS (SSL) encryption. SSL versions and ciphers are limited to only those known to be secure. Currently TLS 1.2 is the only supported protocol
Separation of system and network environments
System and network environments are logically separated using VLAN.
Hardening of virtual images
All servers and virtual machines are hardened using the CIS Framework
File integrity, intrusion detection, and intrusion prevention
Host-based intrusion detection (HIDS) and host-based intrusion prevention (HIPS) are in place on all servers. The intrusion detection system monitors abnormal traffic patterns, while intrusion prevention works to stop malicious attacks. These components provide a zero day protection against a large number of attacks such as worms, Trojans, spyware, key loggers and malware from penetrating the network or spreading from already infected users.
Logging and activity history
The platform has comprehensive security logging and reporting capabilities. Clients can access these logs for monitoring purposes and identifying any system misuse.
- History against each item – The platform maintains an audit trail of actions against each record.
- Audit log – The platform has an Audit Log for tracking access and use of the system. The Audit Log is not exposed for reporting purposes by users. (Protecht does however make available the Audit Log to clients via a request to the Support Desk if required.)
Protecht maintain business continuity plan and disaster recovery plan as part of the ISO 27001 certification. Protecht.ERM operations are 24 x 7, regardless of time zone differences providing an standard SLA of 99.5% availability.
Protecht takes security very seriously and proactively monitors and tests its network, data centre infrastructure, and application. We conduct ongoing security reviews and under special circumstances we work closely with customers to conduct their own scheduled tests as well.
Penetration testing and vulnerability management
External penetration testing is performed annually (or on significant changes to the infrastructure or application) and covers infrastructure and the application level. Penetration testing is also performed as part of the release process for each major release of the application
Customer penetration and vulnerability testing
customers in the may request to do their own penetration test and security vulnerability scan. Since penetration tests are often indistinguishable from network attacks, all customer-initiated tests must have permission requested and granted by Aha! senior technical staff prior to being run.