This document was last updated on August 1, 2021.
This Security Policy makes an integral part of our EVALINK Agreement.
All candidates need to undergo an extensive security clearance. Further, we carefully assess all candidates in a multistage interview process.
After and during employment
During onboarding, all new employees go through general information security training, where they are made aware of their responsibilities and applicable policies and procedures that they need to follow. Further, they undergo in-depth training appropriate to their role.
With periodical training, we keep our employees updated regarding information security, policies, and procedures. The security clearance is re-assessed at regular intervals.
We established principles and tools for continuous improvement within our organization. We regularly practice various scenarios to make sure employees have all the skills and knowledge they need.
During regular assessments done by external advisors, we challenge our operational excellence, to improve it constantly.
Development & Testing
Security by Design
With our microservices architecture, we follow principles of least privilege and shared nothing. All services are designed to have to authenticate against our central IAM, authorizing the service to perform the only designated actions.
Peer Code Review
All newly written code must be peer-reviewed ideally with multiple but at minimum one peer. Continuously extended checklists help to provide a general baseline for peer code review. This baseline ensures that the review includes checking for security and resiliency as well as complying with coding standards. Peer code review also ensures continuous sharing of knowledge between employees.
Before deploying our services to production, we run security and resiliency tests with both automated and manual testing. We test in realistic environments and with realistic load and data.
When code is pushed, it automatically triggers several pipelines to start testing on our staging system.
Final Review and Approval
After peer review and testing, features are thoroughly checked by team leads and the CTO before they are considered for deployment.
After successfully passing testing and all review processes new code is ready for deployment. Even though fully automated, deployments to production can only be triggered by a small set of people with the necessary security clearance and expertise. We only do rolling deployments that we test for zero-downtime rollout.
We use a two-region setup with using at least 3 availability zones (AZs) in each region. We built this setup for resiliency. The data center at AWS are built to meet the highest industry standards.
We use AWS Global Accelerator to improve resiliency, availability and latency of our endpoints. Using AWS Global Accelerator traffic will take a direct route from the nearest available AWS edge location in the global AWS network. The AWS Global Accelerator endpoints are protected by default from Distributed Denial of Service (DDos) attackes with AWS Shield.
With cloud AMQP we use the RabbitMQ service. The Cloud AMQP clusters are connected to our VPCs (Virtual Private Cloud) using VPC pairing, which is designed to secure to the connection.
We use Twilo for phone calls and SMS.
We use Auth0 for authentication and authorization.
Encryption in Transit
Sitasys’ web endpoints enforce the use of TLS/SSLWe use AWS services designed to encrypt data in transit.
Encryption at Rest
We use AWS services designed to encrypt data at rest.
All our systems are closely monitored and experts are on call-duty 24/7. Running anomaly detection on important KPIs, allow us to detect irregularities at an early stage. Together with continuous tests, automated failover and autoscaling most issues are solved before they become a problem and affect the Services.
We ensure the security of our software and Services by conducting penetration tests by renowned security external companies.
As off this security policy date, we are certified against ISO 9001 and ISO 27001
AWS Well Architected Review
We use the AWS Well Architected Framework to continuously assess and improve our architecture, practices and processes. We regularly let AWS Well Architected partners review our implementation of the AWS Well Architected Framework.