Security

Security

Security is an integral part of Selligent’s business and culture. From Product inception inside the development lifecycle all the way through the completion of each project, the security of our customers’ data is one of our top priorities.

This guide explains our security policies and procedures so that our customers can be confident that their data is secure.

 

Organizational Commitment to Best Practices

Our office network and Software as a Service (SaaS) are physically separated: They are in different data centers and are using different routing to the internet. At the same time they are also managed by two different teams: The respective teams are the IT team and the SaaS operations team. These teams each report to different senior management.

    

Selligent SaaS Architecture

The following diagram shows the segregation in our SaaS architecture.

Access Control

Selligent’s access control policy requires a unique username per environment and complex passwords.

The security team reviews the access control policy every year and user accounts are reviewed on a regular basis.

The Human Resources (HR) department is involved in the access control process for employees. HR can trigger events such as adding user accounts, moving user accounts, or deleting users.

Network Security

The security and stability of our network is insured by a robust and redundant design including front-end, back-end and management firewalls.

Operational Security

Selligent manages every asset required to deliver our SaaS solutions. In addition, all operational activities on our infrastructure are carried out strictly under the control of Selligent employees.

Selligent’s operational controls address requirements for the execution of activities and the ability to review operational effectiveness. These controls also help maintain proper segregation of duties and access.

Employee Security Training

At Selligent, all employees are trained a minimum of once per year and attain a Selligent security certification as part of our security management system.

Selligent trains its developers and quality assurance personnel to check the quality and security of our application code. Training materials provided to these teams are aligned with the Open Web Application Security Project (OWASP) framework.

Data Center and Environmental Security

Our data centers provide state-of-the-art security and redundancy.

Our data centers are built with a multilayered physical security approach consistent with the requirements defined by Security Industry Standards. Access is controlled by photo badges, proximity access cards, biometric devices, CCTV/DVRs and alarms. Visitor access is strictly controlled.

Backup generators are equipped with enough fuel for several days and generators will activate approximately 1.5 minutes after a power failure. The UPS system manages the lag time between any power outage and the generator activation. All generators are redundant.

A highly sophisticated VESDA (Very Early Smoke Detection Apparatus) System provides very early warning of smoke or conditions leading to a fire by continuously sampling air in facilities for carbon products.

Incident and Risk Handling

At Selligent, we have a security and privacy risk & incident handling process that addresses security risks or incidents.

The process defines the procedures to respond to potential incidents and includes a dedicated Security Team that is responsible for managing the response and fixing the security incident or privacy breach. This process includes incident investigations, prompt communication with customers, third parties and authorities, and impact assessments and improvements.

Vulnerability Monitoring

Selligent continuously monitors security alert sources for the latest information on new system vulnerabilities and proactively assess each of them against our environment. We also actively watch for updates from the providers of the technologies we use for security information.

Data Encryption

Selligent’s solutions use industry standard cryptography for data in transit to and from our platform.

For FTP exchanges, the data files can be further protected by using PGP encryption software.

Pen Testing

Selligent engages with a third-party web application vulnerability testing company to regularly assess each part of our application with a minimum of once a year as well as for any major release.

Backups, Redundancy, and Recovery

Selligent's standard SaaS solution has backup media stored offsite inside a secondary data center.

Data Protection and GDPR compliance in the EU

The General Data Protection Regulation (GDPR) is adopted by the European parliament on 14 April 2016, and shall apply for 25 may 2018.

Selligent has appointed a Data Protection Officer.

Selligent is taking the necessary technical and organizational measures to comply with the requirements of the GDPR by its entry into force.

Third-party Evaluations

Selligent invests on a permanent basis in information security and Privacy protection. Selligent efforts in these matters have been awarded by ISO certifications. The ISO certifications provide our customers with independent assessments and evaluations of Selligent’s security controls. These third-party evaluations are available upon request and include the following:

  • ISO 27001 certification
  • ISO 27018 certification

ISO 27001 Certified

Selligent has attained compliance certification for ISO/IEC 27001, the specification that defines the standard information security management system (ISMS). This security management standard specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance.

Organizations that meet the standard must be certified compliant by an independent and accredited certification body on successful completion of a formal compliance audit. The basis of this certification is the development and implementation of a clear security program.

ISO 27018 Certified

Selligent has attained compliance certification for ISO 27018, the first international code of practice for cloud privacy. Based on EU data-protection laws, it gives specific guidance to cloud service providers (CSPs) acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.