Security and compliance
Overview
We know your data containing your risks, compliance, health and safety, internal audits, incidents are extremely important to you and your business, and we take protecting them seriously. That is why all our communications are secured using HTTPS and your data is encrypted at rest.
Our infrastructure uses trusted providers that are aligned to security best practices, ensuring data is protected at all times and only accessible by who you want. Our data centers use the latest cloud technologies providing a highly scalable and resilient platform that enables customers to access their data when they needed.
Protection
Protecht encrypts all communication between customers and our data centers through strong encryption. All login and post-login web pages in Protecht are served over TLS, a successor to SSL. We encrypt all data at rest using AES-256 encryption. Protecht protects its system infrastructure by using dedicated firewall and network services to block unauthorized system access.
Tight access control systems are enforced. Protecht employees are not able to access customer data unless specifically required to do so for support reasons.
Compliance
ISO27001
Protecht is ISO 27001 certified. ISO is an information security standard published by the International Organization for Standardization, the world’s largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC). This certification was issued by an independent and accredited certification body based on successful completion of a formal audit process.
EU-GDPR
Protecht complies with the General Data Protection Regulation regarding processing of personal data of people in the European Union.
UK-GDPR
Protecht complies with the General Data Protection Regulation regarding processing of personal data of people in the United Kingdom.
ERM security features
Single Sign-On (SSO) support
SSO solutions such as Active Directory Federated Services (ADFS) via SAML are supported. Other SAML-compliant providers are also supported, including Google (SAML), Okta, Azure, and Vanguard.
Two-factor authentication
In Protecht.ERM, you can turn on two-factor authentication so that users must provide two forms of identity verification to access the system. This feature is available out-of-box and can be enabled from the user interface.
For clients who have Single-Sign-On (SSO) enabled, two-factor authentication can be enabled from the client's Identity Provider server that provides the SSO authentication.
IP restrictions
Clients can request that only designated IP addresses or IP ranges can have access to their site.
Encryption of data at rest
Databases and backups are encrypted at rest using AES-256 cipher.
Encryption of data in transit
Data in transit is protected by HTTPS (SSL) encryption. SSL versions and ciphers are limited to only those known to be secure. Currently TLS 1.2 is the only supported protocol
Separation of system and network environments
System and network environments are logically separated using VLAN.
Hardening of virtual images
All servers and virtual machines are hardened using the CIS Framework
File integrity, intrusion detection, and intrusion prevention
Host-based intrusion detection (HIDS) and host-based intrusion prevention (HIPS) are in place on all servers. The intrusion detection system monitors abnormal traffic patterns, while intrusion prevention works to stop malicious attacks. These components provide a zero day protection against a large number of attacks such as worms, Trojans, spyware, key loggers and malware from penetrating the network or spreading from already infected users.
Logging and activity history
The platform has comprehensive security logging and reporting capabilities. Clients can access these logs for monitoring purposes and identifying any system misuse.
- History against each item – The platform maintains an audit trail of actions against each record.
- Audit log – The platform has an Audit Log for tracking access and use of the system. The Audit Log is not exposed for reporting purposes by users. (Protecht does however make available the Audit Log to clients via a request to the Support Desk if required.)
Resilience
Protecht maintains business continuity plan and disaster recovery plan as part of the ISO 27001 certification. Protecht's SAAS products operate 24 x 7, regardless of time zone differences providing an standard SLA of 99.5% availability.
Penetration testing
Protecht takes security very seriously and proactively monitors and tests its network, data centre infrastructure, and application. We conduct ongoing security reviews and under special circumstances we work closely with customers to conduct their own scheduled tests as well.
Penetration testing and vulnerability management
External penetration testing is performed annually (or on significant changes to the infrastructure or application) and covers infrastructure and the application level. Penetration testing is also performed as part of the release process for each major release of the application.
Customer penetration and vulnerability testing
Clients or prospective clients can arrange for penetration testing. However, there are some limitations to ensure that other clients are not impacted. Protecht is also obligated to seek permission from the hosting provider before any penetration testing is performed. Additional testing can be organised through the support desk.
Responsible vulnerability disclosure policy
We are open to engage with the security community. Our security vulnerability disclosure policy allows you to responsibly share your findings with us.
If you think you have identified a security vulnerability in one of our products, infrastructure, or service, report it to us as quickly as possible.
Our policy doesn't authorize you to conduct security testing against Protecht. If you think a security vulnerability exists, please report it to us. We can test and verify it.