The security of your data has always been a priority for us. Whether you choose to deploy your helpdesk on Cloud or On-Premise, we are committed to protecting and securing your data.
Compliance certifications and regulations
At Data Centers
Secure by design
Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection, Cross site scripting and application layer DOS attacks.
The service data is stored on our servers when you use our services. Your data is owned by you, and not by SmartDocs Limited. We do not share this data with any third-party without your consent.
- In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally, for email, our services leverage opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
- We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure
- At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.
Data Retention and Disposal
A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).
Identity and Access Control
Logging and Monitoring
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.
Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every SmartDocs Limited service
We have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. Furthermore, our security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.
Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.
Malware and Spam Protection
We scan all user files using our automated scanning system that’s designed to stop malware from being spread through SmartDocs ecosystem. Our custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns. Furthermore, our proprietary detection engine bundled with machine learning techniques, ensures customer data is protected from malware.
We run incremental backups every day and weekly full backups of our databases using SmartDocs Limited Admin Console (ZAC) for SmartDocs Limited’s DCs. Backup data in the DC is stored in the same location and encrypted using AES-256-bit algorithm. We store them in tar.gz format. All backed up data are retained for a period of three months. If a customer requests for data recovery within the retention period, we will restore their data and provide secure access to it. The timeline for data restoration depends on the size of the data and the complexity involved.
To ensure the safety of the backed-up data, we use a redundant array of independent disks (RAID) in the backup servers. All backups are scheduled and tracked regularly. In case of a failure, a re-run is initiated and is fixed immediately. The integrity and validation checks of the full backups are done automatically by the ZAC tool.
From your end, we strongly recommend scheduling regular backups of your data by exporting them from the respective SmartDocs Buesiness Solution and storing it locally in your infrastructure.
Disaster recovery and business continuity Application data is stored on resilient storage that is replicated across data centers. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.
We have power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations such as support and infrastructure management.
We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through [email protected] , with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organization administrator registered with us).
As data controllers, we notify the concerned Data Protection Authority of a breach within 72 hours after we become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay.
Vendor and Third-party Supplier Management
We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.
Customer controls for Security
So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that as a customer can do to ensure security from your end:
- Choose a unique, strong password and protect it.
- Use multi-factor authentication
- Use the latest browser versions, mobile OS and updated mobile applications to ensure they are patched against vulnerabilities and to use latest security features
- Exercise reasonable precautions while sharing data from our cloud environment.
- Classify your information into personal or sensitive and label them accordingly.
- Monitor devices linked to your account, active web sessions, and third-party access to spot anomalies in activities on your account and manage roles and privileges to your account.
- Be aware of phishing and malware threats by looking out for unfamiliar emails, websites, and links that may exploit your sensitive information by impersonating SmartDocs Limited or other services you trust.
- To learn more about how you can work with SmartDocs to achieve a secure cloud environment, read our resource on Understanding shared responsibility with SmartDocs. We provide a thorough analysis on the shared responsibility model and how both our customers and SmartDocs Limited can collaborate as well as take up individual responsibility towards cloud security and privacy.