Technology
Hosting
-
Hosting of our Platform is provided by Amazon Web Services (AWS) which holds, among others, the following certifications:
• ISO 9001:2015 (Quality Management)
• ISO 27001:2013 (Security Management)
• ISO 27017:2015 (Cloud-Specific Security Controls)
• ISO 27018:2014 (Personally Identifiable Data Protection)
• Cloud Security Alliance - CSA STAR Level 2 (Cloud Service Provider Security) - AWS is audited twice a year covering a 6-month period to attest that they meet the criteria of their security programs, following SOC2, type II auditing procedures.
- AWS datacenters are built to the highest standards with fully redundant power and cooling and strict access controls in place to ensure a very secure environment.
-
Data is stored in the following AWS regions, depending on your hosting needs:
• EU-WEST-1 (Dublin, Ireland) for our European platform
• AP-SOUTHEAST-1 (Singapore) for our Singapore platform
• AP-SOUTHEAST-2 (Sydney, Australia) for our Australian platform - Inquiries and questions regarding our hosting provider and their certifications can be addressed to info@negosmart.com.
Operations
-
Scanmarket is responsible for the operation of the hosted services and have procedures in place for:
• 24x7x365 monitoring, maintenance and correction of hardware and software
• Continuous patching and fixes • Hardening of servers including monitored security suites.
• Scaling of the solution to ensure performance.
Backup
- All data is backed up daily, with one weekly full-backup and daily incremental backups. Database transaction log files are backed up every 15 minutes.
- The retention period for backups is 60 days.
- Backups are stored in two separate AWS accounts, with completely segregated access, for disaster recovery purposes.
Information Security Management System
- Scanmarket runs an extensive Information Security Management System (ISMS) based on the structure of the internationally recognized ISO/IEC 27001:2013. The ISMS is subject to continuous, systematic review and improvement.
Encryption
- All data at rest is stored encrypted and all sensitive data is encrypted in the database. Each customer has their own unique encryption key which ensures one customer cannot access another customer’s data.
- Data in transit is encrypted for all transactions. All encryption is performed using current industry standards.
Disaster Recovery Planning & Business Continuity Planning
- We understand that the company data in our system is the lifeline to your business. We strategically plan and prepare for any disaster recovery situation that could potentially happen.
- Restore is carried out every day. Our ambition is to have a complete restore effected within 2 hours.
- With Total Disaster Recovery, it is our ambition that the client within 24 hours can recommence working on a normal system, as well as access the data that was available at the latest scheduled backup prior to catastrophic failure.
Quality Assurance and Security Testing
- Before any change is made in the Scanmarket strategic sourcing platform, the complete change is verified by highly qualified Quality Assurance Personnel ensuring highest possible stability and security in the application. The security testing includes, but is not limited to, testing against malicious requests and malicious input, including possible cross-site scripting attacks.
Penetration Testing
- A yearly penetration test is performed by a qualified third-party, and any findings are corrected immediately. The latest summary is available to customers upon request.
Application Security
- All database access is performed through the ORM framework or a secure query engine, eliminating the risk of SQL injection attacks.
- User input is generally encoded so it can be displayed safely. This protects against cross-site scripting or JavaScript injection attacks. Where the user is able to enter rich text input, the resulting mark-up is sanitized.
- All requests are validated for correct rights before data is returned or modified.
Authentication
- Scanmarket support SAML2 based Single Sign-On, allowing for your organization to remain in control of the authentication process.
- We also offer a regular username & password-based login with the ability to configure password requirements, such as length, complexity and age.
Application Security
-
Protecting your data is a constant focus point. Therefore, our Software Development Life Cycle procedures includes:
• Manual code reviews
• Automated code scanning
• Security training for developers (OWASP)
Segregated Environments
- Scanmarket has a testing and a staging platform that is 100% disconnected from the live servers, so no customer data is available on the test setup. All new features are tested, first on the test server and then on the staging server, before they are released into production.