Security Policy
Last updated on August 1, 2021
This Security Policy makes an integral part of our EVALINK Agreement.

Employees

Before employment

All candidates need to undergo an extensive security clearance. Further, we carefully assess all candidates in a multistage interview process.

After and during employment

During onboarding, all new employees go through general information security training, where they are made aware of their responsibilities and applicable policies and procedures that they need to follow. Further, they undergo in-depth training appropriate to their role.

With periodical training, we keep our employees updated regarding information security, policies, and procedures. The security clearance is re-assessed at regular intervals.

Operational Excellence

We established principles and tools for continuous improvement within our organization. We regularly practice various scenarios to make sure employees have all the skills and knowledge they need.

During regular assessments done by external advisors, we challenge our operational excellence, to improve it constantly.

Development & Testing

Security by Design

With our microservices architecture, we follow principles of least privilege and shared nothing. All services are designed to have to authenticate against our central IAM, authorizing the service to perform the only designated actions.

Peer Code Review

All newly written code must be peer-reviewed ideally with multiple but at minimum one peer. Continuously extended checklists help to provide a general baseline for peer code review. This baseline ensures that the review includes checking for security and resiliency as well as complying with coding standards. Peer code review also ensures continuous sharing of knowledge between employees.

Testing

Before deploying our services to production, we run security and resiliency tests with both automated and manual testing. We test in realistic environments and with realistic load and data.

When code is pushed, it automatically triggers several pipelines to start testing on our staging system.

Final Review and Approval

After peer review and testing, features are thoroughly checked by team leads and the CTO before they are considered for deployment.

Deployment

After successfully passing testing and all review processes new code is ready for deployment. Even though fully automated, deployments to production can only be triggered by a small set of people with the necessary security clearance and expertise. We only do rolling deployments that we test for zero-downtime rollout.

Cloud Infrastructure

AWS

We use a two-region setup with using at least 3 availability zones (AZs) in each region. We built this setup for resiliency. The data center at AWS are built to meet the highest industry standards.

Endpoints

We use AWS Global Accelerator to improve resiliency, availability and latency of our endpoints. Using AWS Global Accelerator traffic will take a direct route from the nearest available AWS edge location in the global AWS network. The AWS Global Accelerator endpoints are protected by default from Distributed Denial of Service (DDos) attackes with AWS Shield.

Cloud AMQP

With cloud AMQP we use the RabbitMQ service. The Cloud AMQP clusters are connected to our VPCs (Virtual Private Cloud) using VPC pairing, which is designed to secure to the connection.

Twilio

We use Twilio for phone calls and SMS.

Auth0

We use Auth0 for authentication and authorization.

Data Security

Encryption in Transit

Sitasys’ web endpoints enforce the use of TLS/SSLWe use AWS services designed to encrypt data in transit.

Encryption at Rest

We use AWS services designed to encrypt data at rest.

Monitoring

All our systems are closely monitored and experts are on call-duty 24/7. Running anomaly detection on important KPIs, allow us to detect irregularities at an early stage. Together with continuous tests, automated failover and autoscaling most issues are solved before they become a problem and affect the Services.

Audit

Penetration Tests

We ensure the security of our software and Services by conducting penetration tests by renowned security external companies.

ISO Certifications

As off this security policy date, we are certified against ISO 9001 and ISO 27001

AWS Well Architected Review

We use the AWS Well Architected Framework to continuously assess and improve our architecture, practices and processes. We regularly let AWS Well Architected partners review our implementation of the AWS Well Architected Framework.