Security Policy For Addteq


Security as a cornerstone

For organizations that produce incredible volumes of data, security is driven by Information Technology (and the data that it generates). While facing an increasingly complex architecture, Addteq instills a continuous improvement philosophy in the way it works.

Architecture

Security is the foremost consideration when designing our processes, networks, and applications. It also takes into account a broad range of industry standards and frameworks ensuring high integrity, confidentiality, and availability. Some of the architecture level considerations are:

  1. Application Development security
  2. Data Security
  3. Information Life Cycle Management
  4. Encryption
  5. Threat and Vulnerability Management
  6. Asset Management
  7. Incident Management
  8. Communications Security
  9. Physical and Environmental Security

Network

Addteq’s network security covers all levels of the technology stack. Implementation is divided by zone restrictions that include limiting to office, data center, and platform network traffic. Environment separation limited to production and development connectivity. Services explicitly authorized to communicate with other services through an authentication whitelist. Access to sensitive networks is restricted by firewall rules and all connectivity is encrypted. Device certificates, Multi-factor Authentication are implemented for internal resource connectivity. Intrusion detection and prevention systems are layered over our networks to identify issues.

Application

A conclave of engineers, security architects, product managers identifies potential threats which are accommodated into the design process and tested in the appropriate phases of development. 

Reliability

Platform-wide Availability and Redundancy

All the applications managed by Addteq are on hosting platforms like DigitalOcean/AWS/Azure/GCP. Their data centers have been designed and optimized to host applications, have multiple levels of redundancy built-in, and run on a separate front-end hardware node on which application data is stored. High availability of data being the primary focus, our hosting partners are ISO 27001, ISO 9001, SOC2, PCI-DSS compliant. All of the infrastructures are designed and implemented with best practices to minimize downtime. Primary (NYC1 for DigitalOcean and US-EAST-1 for AWS) and Secondary (SFO1 for DigitalOcean and US-WEST-1 for AWS) Data centers are defined with fail-over provisions. To keep up with high availability demand, critical infrastructure may be provisioned with multiple nodes in the event of any failure. 

For more information, please use the below links:

https://www.digitalocean.com/legal/compliance

https://aws.amazon.com/compliance/programs

Backup policy

Addteq’s comprehensive backup program offers resilient storage for application data. Frequencies for automated backups are incremental in nature at a period of sixty (60) minutes. If the most recent full backup is more than 24 hours old, a new full backup is initiated. Backups are retained for 7 days and in the event of successful deletion of backups. Backup is encrypted with RSA 2048 and stored in Amazon private S3 buckets. 

Business Continuity and Disaster Recovery

Addteq continues its efforts of maintaining a strong Business Continuity (BC) and Disaster Recovery (DR) plan to ensure minimum impact on customers in the event of any disruptions. Higher emphasis is laid on Continual Improvement through DR/BC initiatives.

To ensure appropriate levels of governance, maintenance, and testing, the following guidelines are observed:

  1. In order to drive the strategy for resilience and governance, Addteq’s leadership is involved paving accountability for business and technical functions.
  2. Addteq is diligently monitoring and managing its DR policies. Regular communications are exchanged with the customer's risk and compliance team about DR gaps and necessary remediation to maintain appropriate levels.
  3. Regular testing is conducted as an integral part of the DR life cycle to ensure customer data is available on demand. In detail insights on some of the test cycles are as follows:
    1. Levels of resiliency are monitored across all regions of our hosting partners so that mitigation strategies could be put in place for failure.

    2. Backup of data is by default on AWS zones and in case of any catastrophe, secondary regions are always assigned.

    3. Backup and restore procedures are in place and tested on a regular basis ensuring high availability to our customers. Addteq offers 99.95% uptime SLA, RTO of 2 hours, and RPO of 1 hour.

Product Security

There is a range of security controls Addteq implements to keep customer applications and data safe.

Data encryption 

While in transit over public networks, data is encrypted using Transport Layer Security (TLS) 1.2. Encryption using TLS enforces strong ciphers and key-lengths that can only be accessed by authorized roles and services with audited access.

Encryption key management

Keys are encrypted to protect customer data. This service is integrated with tight access controls ensuring exclusive authorized access to the keys that decrypt it. 

Segmentation and Separation

In single-tenancy architecture, a customer (a tenant) will have a singular instance of a SaaS application dedicated to them.

With single-tenant architecture, Addteq will aid in managing the software instance and dedicated infrastructure while still lending nearly full control to a single tenant for customization of software. Some common characteristics of single-tenancy models are that they tend to provide a high level of user engagement and user control, as well as reliability, security, and backup ability. Because tenants are in a separate environment from one another, they are not bound in the same way tenants using a shared infrastructure would be.

Benefits of single-tenancy: 

  • Data is independent of other potential tenants with the same provider.
  • Data security: In the event of a data breach to one tenant with the same service provider, another tenant would not be affected by the breach since data is stored on a separate instance.
  • Since all data of a customer is isolated from another, a large degree of customization is possible for software and hardware instances.
  • Single-tenant instances are considered reliable, since performance is based on only one instance, instead of many from different tenants.
  • Restore and disaster recovery. Isolated backups allow users to quickly enable recovery if there is a disaster and data is lost.

Product Security Testing

Post-development, during the testing phase, Addteq exemplifies its approach to break features using automated and manual testing techniques. In spite of automated testing tools, the engineering team ensures the correctness of the product. If a vulnerability is identified by any of our customers, it is acted upon with the highest priority, and remediation actions are rolled out to all customers. Our security team ensures keeping systems updated and patched with automated security testing tools for infrastructure.  

Product Vulnerability Management

As a part of Vulnerability Management practices, the team is highly focused on continual improvement propaganda. Other than product vulnerabilities, network scans of internal and external infrastructure are made to observe any abnormalities

Operational Practices

Access to Customer Data

Access to customer data stored within applications is restricted on a 'need to access basis. Stringent controls are implemented governing data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.

Only authorized employees to have access to customer data stored within applications via SSH connections which are strictly from Addteq corporate VPN. Unauthorized or inappropriate access to customer data is treated as a security incident and managed through the incident management process. This process includes instructions to notify affected customers if a breach of policy is observed. Physical access to data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures.

A broader policy governing access to customer data and metadata is included in our Privacy Policy

Support Access

In order to facilitate the maintenance and support process, Addteq Support teams have the necessary access to resolve open tickets. Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system. Access rights are periodically reviewed every six months. There are automated monitoring and security restrictions to prevent data extraction or back-end access.

Security Training and Awareness

Addteq’s awareness program is built on the premise that security is everyone’s responsibility. The training and awareness program is used as the primary vehicle for communicating responsibilities to employees. Employees and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the onboarding process, security awareness courses are delivered to these new hires. Keeping in line with the theme of ‘continuous improvement’, we disseminate security messages through company-wide email messages and blog posts.

Change Management

A hierarchical approach to change management serves the best. Addteq ensures that any change in code or infrastructure ( internal or external) has a requirement to be reviewed by the reporting managers to identify any issues the change could cause. Security and performance issues go through a higher number of reviews and tests performed on branch merge by use of CI tools. There is a formal process to ensure clients are notified prior to changes being made that may impact their service.

Employee Hiring

Addteq strives to hire the best and the brightest of talent available. During the recruitment process, the Addteq HR team performs employment, background, visa, financial checks. Once onboarded, each employee is provided a 30-day onboarding plan. This includes relevant access defined to the roles, Security Policies, and procedures. Each employee is made to sign a confidentiality agreement upon hire which also contains a disciplinary process for non-compliance.   

Security Incident Management

In spite of Addteq’s best efforts in the design and implementation areas, there is always a margin of error leading to gaps that need to be identified and prevented proactively. Addteq team uses various tools to monitor applications and infrastructure separately. In the event of escalations, Addteq has internal subject matter experts to investigate and drive to issue closure within 24-48 hours for P1 (Sev 1) issues. 

Privacy

Our approach to privacy is laid out in detail at the following link Privacy Policy