Profisee’s Information Security Program helps ensure that Profisee is managing and protecting the confidentiality, integrity and availability of our customer’s data that is managed using Profisee’s SaaS Master Data Management Platform. (‘Profisee Cloud’)
Profisee’s Information Security Policies, as part of a holistic Information Security Program, contains administrative, technical and physical safeguards to protect customer information assets from unauthorized modification, deletion or disclosure, leveraging the combined security capabilities of the cloud platforms used to host Profisee Cloud and Profisee’s own data security practices.
Profisee’s data security practices have been audited against the SOC 2 security framework by a trusted audit firm, A-Lign. Profisee works to comply with all laws and regulations that impact or are relevant to Profisee’s operations, such as GDPR or CCPA, and implements security practices that follow Industry Standard Practices. Profisee reviews annually the Security Information Program to update and identify changes required to maintain a modern, proactive and effective security program.
Profisee Cloud is hosted on Microsoft Azure in regional pairs. The resources used to host Profisee Cloud are deployed across region pairs, leveraging multiple availability zones within a region for high availability, geo-replication across regions for disaster recovery and strong backup policies — enabling minimal downtime, fast recovery and seamless failover if required.
By hosting Profisee Cloud on Azure, customers benefit from the industry-leading security practices and processes available from Azure. For more information, visit the Azure Trust Center.
Profisee implements industry-standard encryption for data at rest and in transit. Profisee utilizes native Azure functions for data destruction upon request or upon termination of a contract to ensure data is erased following recommendations from NIST and the NSA, ensuring data is unreadable and indecipherable. Profisee shall maintain data in regions set forth by a customer and maintain data only in these regions, e.g., data stored in the EEA will remain in EEA data centers.
Encryption of Data at Rest
Customer data is stored in tenant-specific repositories (e.g., databases, storage accounts, etc.). All data at rest is encrypted with modern encryption standards and will be reevaluated as required. Repositories are not accessible publicly and are isolated on a private network with row-level security enabled to prevent unauthorized access, controlled through Azure AD roles and groups Profisee maintains row-level security throughout the approach, which prevents unapproved access of any customer data by Profisee employees.
Encryption of Data in Transit
All network traffic to and from Profisee Cloud over the public internet uses a minimum of TLS 1.2 to encrypt data in transit.
Profisee Cloud uses dedicated repositories to provide complete tenant isolation between Profisee Cloud environments. Customer data is not shared or co-mingled between environments. Users must be authenticated and authorized for each individual Profisee Cloud environment they access. If a customer uses a common authentication provider (eg., Azure Active Directory) across environments (e.g., Development, Test, and Production), users will gain the benefit of single sign-on but will be authorized independently for each environment.
Profisee utilizes industry standard best practices in its approach to network and cloud infrastructure security. We utilize traffic inspection, logging, analysis and alerting; next-generation firewalls; geolocation blocking; segmented virtualized network infrastructure; on-demand VPN connectivity; private links; web application firewalls; network security groups; modern MFA; and other technologies to achieve defense in depth — with the goal of providing maximum security for our customers’ data.
Profisee utilizes Single Sign-On (SSO) using OpenIDConnect-compliant providers coupled with Multi-Factor Authentication. Once deployed on our platform, customers are responsible for the management of their users, groups and roles via RBAC (Role-Based Access Controls). Profisee has designed the Profisee Cloud solution with principles of Least Privilege Access in mind, requiring the minimum access necessary.
In addition to the RBAC controls required to gain access to the platform, the Profisee solution internally allows further customization and granular control via assignment of built-in roles or custom grouping of permissions with support for Identity and Access Management controls that can be leveraged for Just-In-Time Access.
Profisee leverages capabilities natively available in Azure to deliver Profisee Cloud as a highly available cloud-native platform. All persisted repositories are configured with zone redundancy, replicating data across multiple physical locations within Azure Region(s). This provides fault tolerance and resiliency to a much larger set of failures, including catastrophic data center outages. Profisee simulates events that require various failover or disaster recovery processes at least annually to ensure that these systems function as intended.
Additionally, Profisee leverages geo-redundancy to replicate data repositories to a secondary Azure region where Profisee maintains a secondary pre-configured Profisee Cloud infrastructure. In the unlikely event of a catastrophic outage across an entire Azure Region, Profisee will failover customer environments to that secondary region minimizing the disruption caused by an outage across an entire Azure Region.
In addition to geo-replication, Profisee maintains backups of all customer repositories.
Profisee performs log collection, detection, analysis and inspection, indexing, searching and alerting from various endpoints including, but not limited to, firewall IPS/IDS systems, endpoint security applications, user equipment and access events, VPN gateways, Web Application Firewalls, application logs and SQL logs. These logs are centrally collected using a best-in-class SIEM solution to analyze and correlate these logs. Utilizing built-in Azure functions, Profisee can automatically enable additional logging during an incident that will be collected in the SIEM and retained for investigation. Logs shall be maintained for up to 365 days to allow for historic investigations.
Secure Software Development Standards
Profisee uses secure software development practices during the entire software development lifecycle. Profisee follows best practices as outlined in the OWASP Software Assurance Maturity Model (SAMM)
Profisee’s Secure Software Development Policy focuses on two essential components:
1. Software Development Process
Integrates security in every phase of the software development lifecycle (SDLC) – Requirements gathering, design and coding, testing and implementation, including
- Separation of Duties
- Segregation of Environments
- Data Exposure and Sensitivity Labels
- Access Control
- Code Review
- Vulnerability Prevention Coding Practices
- Input Validation
- Exception and Error Handling
- Prevention of Cross-Site Scripting Attacks
- Prevention of Insecure Direct Object References
- Credentials/Passwords Protection
- Session and Logout
- TLS and Secure APIs
- File Management
- Secure Configuration
- Insecure Deserialization
- Version Control
- Patch Management
2. Software Security Assessments
Profisee uses third parties to perform quarterly and annual testing, auditing and reviews of Profisee’s Software and Software Development Lifecycle. This includes application penetration testing, software architecture reviews, and audits of Profisee’s security processes and procedures. Profisee also engages with SonarCloud to provide real-time code quality and security assurances, graded against OWASP security controls.
THIRD-PARTY NETWORK AUDITS
Profisee has partnered with a third-party vendor to perform quarterly and annual scans of the Profisee environments in addition to penetration testing of its infrastructure. This penetration test (Pen-Test) or Red Team activity is performed from an “Assumed Breach” style of event to demonstrate as close to a real cyber event as possible to test both protections and response plans. Upon request, Profisee will provide a summary report from the most recent Pen-Test. In addition, Customers may request authorization to perform additional penetration tests. No Customer shall perform any external penetration testing of Profisee’s environment without prior approval from Profisee.
Third-party Application Testing
Profisee contracts with reputable third parties to scan for application vulnerabilities, perform penetration testing and conduct an application code and architecture review against vulnerabilities. Testing is performed on a quarterly and/or annual basis in addition to the ongoing automated scans. Findings from these scanning and testing events will be resolved based upon their assigned criticality through either corrective patching or mitigation actions in time frames commensurate with industry best practices.
Profisee performs background checks on all employees, provides security training during the onboarding process and provides continuous security training. This training covers a variety of simulated attacks based upon real-world events, sent throughout the year at irregular intervals to best evaluate and ensure that training increases our employees’ ability to identify and successfully report attacks.
Profisee follows industry standards of least privilege access to prevent unauthorized access to any private information. For more information, please visit www.profisee.com/privacy
Security Policies & Controls
Profisee’s Security Program ensures that Profisee follows best practices for securing both corporate and customer data and information systems. The Security Program is governed by an overarching Security Governance Policy that establishes the foundation for information security. The Security Program maintains a set of policies and procedures that are reviewed and approved by Profisee’s Information Security Committee. These policies include:
- Access Control
- Asset Management
- Business Continuity
- Change Management
- Data Classification
- Disaster Recovery
- Incident Response
- Network Management
- Patch Management
- Secure Disposal
- Secure Software Development
- Security Awareness
- Vendor Risk Management
- Vulnerability Management
Profisee implements industry-standard safeguards to deliver mandates outlined in the above policies. These protections include:
- Advanced Anti-Malware protections to protect against viruses, worms trojan horses or other malware as well as discover and prevent modern, ‘fileless’ malware and malicious behavior
- Vulnerability scanning of software and systems to discover applications and software that require patching or removal
- Regular patching cycles based upon industry guidelines to prevent exploitation
- Monitoring of scripting activity
- Access is controlled through Azure Active Directory with restrictions on devices and locations with approval for authentication and modern multi-factor authentication (MFA) prompts that include the source location of the request
Profisee carries insurance coverage for cybersecurity.
In the event that Profisee discovers a Security Incident Profisee shall investigate the security event promptly. Profisee will notify affected customers within 72 hours and shall include:
- A description of the and if know the cause,
- An approximate period of when the security event occurred
- A description of the actions taken to remediate the event
SOC 2 CERTIFICATION
The SOC 2 audit is based on the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, privacy, and processing integrity, and the criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). The objective is to meet both the AICPA criteria and requirements outlined in the CCM.
This report additionally covers relevant controls for HIPAA data and Profisee’s ability to store this data safely and securely in the Profisee Cloud product.
ISO 27001 CERTIFICATION
Profisee has been audited by a leading global audit firm, A-LIGN, for compliance with ISO 27001 security controls and has been issued a successful report. Certification of Profisee’s controls can be viewed here.
ISO/IEC 27001:2013 is an information security management system standard published in October 2013 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
This certification demonstrates Profisee’s continued commitment to information security at every level and ensures you that the security of your data and information has been addressed, implemented, and properly controlled in all areas of our organization.
ISA/CVA Certified by DCSO
Profisee has been audited by the German Cyber Security Organisation (DCSO) both on-site and via a document review from their Berlin headquarters and certified for compliance with information security best practices.
DCSO’s framework for information security assessments is an aggregation of recognized industry standards such as ISO 27001, BSI C 5 and proprietary DCSO test criteria.
Certification of Profisee’s controls can be viewed here.