Compliance and Security

A. Data

Let us look into the compliance-related data items that form a stringent part of the Product & Service Guide. 

• AppZen Public

This classification includes information that has been declared public knowledge by someone with the authority to do so and can freely be given to anyone without any possible damage to AppZen, Inc. This data is typically restricted to information available on AppZen’s public website. Any other information or data cannot be distributed without prior consent.

• Privacy & Data Handling

AppZen’s policies and practices comply with *EU GDPR. AppZen provides the EU region data centers for clients in the EU region, and the data is strictly contained within the EU *AWS data centers in Ireland. AppZen also employs a policy to collect only minimal necessary PII and uses it only for agreed-upon purposes. For more details, you can refer to our Privacy Policy.

• Data Ownership

Individuals have certain rights and may make certain choices regarding AppZen’s processing of their personal information through the data controller.

NOTE: While exercising these rights limits our ability to process personal information, we may be precluded from providing our products or services to individuals who exercise these rights or engaging with such individuals going forward.

We reserve the right to verify the identity of the individual in connection with any requests regarding personal information to help ensure that we provide the information to individuals to whom the information pertains and allow only those individuals or their authorized representatives to exercise rights concerning that information.
You can choose AppZen’s collection and use of your data. How you can access or control your data will depend on which Sites or Services you can use.

• Confidentiality

AppZen takes prudent steps to safeguard the confidentiality and security of all personal data, including taking procedural and organizational steps to protect personal data from accidental or unlawful destruction. These steps include entering into written agreements with all its vendors and subcontractors who process personal data.

In addition, AppZen strives to protect personally identifiable information that it maintains or disseminates so it is not obtained by unauthorized individuals or used in unauthorized ways, including through appropriate administrative, physical, and technical safeguards.

• Security

Our Privacy Policy exists to say what we do with your data, but security ensures we can do what we say. The rest of this document focuses on the security measures we employ to ensure we can protect the information assets you have stored.

B. Security Controls

Let us look into the security-related data items that form a stringent part of the Product & Service Guide. 

• Secure in-transit Communications

The encryption occurs on the servers that host EC2 instances, providing data-in-transit encryption from EC2 instances to EBS storage. Amazon EBS* encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and any snapshots created from them. Please note that about CMK, AppZen is a customer of AWS; hence, it is implied that there is only one key for all AppZen's multi-tenant customers.

• User Authentication
  

  • User authentication is based on an email address or AppZen-provided ID. It supports SAML-based authentication with single sign-on. 
  • AppZen Customers authenticate against their business's IDP using OKTA and authorization via AppZen's authorization centers.
  • All AppZen personnel have one unique user account to identify and authenticate any business resources. This is achieved by utilizing the G Suite Single Sign-On functionality and JumpCloud integration.

• Logging and Audit Trails

AppZen regularly reviews server logs provided by Amazon EC2*– log files are invaluable in detecting and tracking attempted intrusions and other suspicious activity. All security-related events on critical or sensitive systems are logged, and audit trails are saved to the Syslog servers.

• Data Storage and Encryption

AppZen’s customers can rest assured that their data at rest is encrypted with AES* 256-bit encryption. This encryption uses AWS encryption services and related key management technology. Amazon EBS* encryption offers the following types of data encryption:

• Data at rest inside the volume
• All data moving between the volume and the instance
• All snapshots created from volume

AWS encryption is supported with all its EBS volume types (file systems) and databases. AppZen maintains sha256 with RSA encryption for all information in transit to web applications. AppZen only supports TLS 1.2 or later for encrypting data in motion.

Data is stored in an AWS S3 bucket, and RDS is logically segregated with unique customer identifiers, which ensures that every customer’s data privacy is protected.

• Access Control

Access control is a cornerstone of AppZen's information technology management. We adhere to the minimum access standards across the business. Users are only provided access to the network and network services they have been authorized to use. All requests for elevated access are tracked and approved through the JIRA tool.

NOTE: This access is reviewed quarterly to ensure privileges remain pertinent to their accountabilities.

AppZen has a formal user registration and de-registration process to enable the assignment of access rights. This process assures that management is held accountable for all access approved and that the distribution of privileges is appropriate. Changes in job status and/or termination will trigger a review of access to make the appropriate adjustments. User roles adhere to the Segregation of Duties (SoD).

AppZen sustains secure logon procedures that are compliant with NIST 800-53 standards. This includes mandatory multi-factor authentication for access to the production environment and minimal standards for password complexity, and it is configured to use the SSO using SAML 2.0.

C. Business Continuity

Let us look into various aspects of business-continuity items that form a stringent part of the Product & Service Guide. 

• Ensuring Business Continuity

AppZen manages business continuity on two levels. The initial level is operational continuity, where we take every action feasible to harden the production environment. These provisions lower the risk of a disaster where more drastic measures are required. The second level is traditional Disaster Recovery to rebuild the production environment completely.

AppZen infrastructure supports High Availability (HA) of database and application resources in a redundant configuration across two AWS data centers within a 50-mile radius. Should resources at one data center become unavailable, redundant resources at the secondary data center will assume operation and sustain uninterrupted service.

• Disaster Recovery

Our Disaster Recovery (RD) plans were developed to comply with ISO/IEC 27001 and NIST 800-53. Our Recovery Time Objective (RTO) is set at 20 hours. Should the primary data center be completely out of action, we should have services returned to operations within 24 hours. The Recovery Point Objective (RPO) is set at 24 hours to match the automated backup clock, keeping pace with our production operations.

This means that even though the recreation of the production environment may take hours, the amount of transaction(s) lost will never exceed 15 minutes. The DR plan is tested annually and reviewed by the ISMS Committee and the external auditors.

• Data Retention

AppZen will purge the customer's data from its infrastructure within 90 days of the service termination and if the customer has not formally requested to purge their data.

AppZen has defined a process for customers to formally request the deletion of their data using the AppZen Support portal described in the Right to Erasure documentation. It will notify the customer of completing the task within two (2) weeks of receiving their notification.

AppZen will make no assurance of data deletion from all backups when receiving such purge notice but will make a reasonable effort to explain that the customer's data will be removed in time due to the expiration of backups or artifacts in the cloud.

D. Policies and Procedures

Let us look into various aspects of Policies and Procedures that form a stringent part of the Product & Service Guide. 

• Information Security Policies

AppZen maintains a comprehensive set of information technology policies that are updated and communicated throughout the business annually. These policies are also audited annually as part of the ISO/IEC 27001 certification management.

These policies include - 

• Information Security Policy
• Acceptable Use Policy
• Access Control Policy
• Physical & Environmental Security Policy
• Anti-Virus Software Policy
• Backup and Retention Policy
• Operational & Software Development Change Management Policy
• Password Policy
• Database Password Policy
• Incident Handling Policy
• Incident Response Guidelines
• Information and Data Classification Policy
• Media Disposition Policy
• Removable Media Policy
• Risk Assessment Policy
• Server Documentation Policy
• Server Security Policy
• Source Code Control Policy
• Telecommute Policy
• Teleconference Recording Policy
• Clear Desk and Clear Screen Policy
• Patch Management Policy
• Email Policy
• Suppliers Security Policy
• Encryption and Cryptographic Control Policy
• Internal Audit Policy
• Compliance Policy
• Data Protection Policy
• DLP* Policy
• Data Retention Policy (Legal Hold Policy) 
• Information Security Exception Policy
• Management Review Policy
• Asset Management Policy
• Business Continuity Management Policy
• Capacity Management Policy
• Equipment Handling Policy
• Internet Access Policy
• Media Handling Policy
• Vulnerability Management Policy
• Cloud Security Policy
• Configuration Management Policy
• Information Transfer Policy
• Threat Management Policy

• Incident Response Plans and Breach Notification

Information Security Incidents can range from a potential breach attempt to simply violating our security policies. All employees are trained on the incident reporting process to ensure that any security-related event is reported and acted upon promptly. The Chief Information Officer and Chief Technology Officer are the immediate recipients of incident reports, with the full ISMS Committee maintaining additional oversight.

• Change Management

AppZen maintains strict change control processes for all product releases and changes. We follow tight guidelines, incorporate processes into our day-to-day workflow, and use reporting that allows for proper checks and balances, all of which maintain our end-user experience and security standards.

• Risk Management

The AppZen risk management process aims to promptly identify, evaluate, and treat any potential risk that could affect the business and assets of the company. AppZen leverages a combination of industry-standard risk management practices to evaluate information security-related risks.

• Review and User of Third-Party Service Providers

We work with several third-party providers, including email and cloud service providers, to help us provide our services to customers. We enter into confidentiality and data processing terms with each of these partners to ensure they comply with the high level of confidentiality and best practices in privacy and security standards, and we regularly review these standards and practices. AppZen may use tools and technologies to review the usage of AppZen services by its customers for analytical purposes.

E. Application Security

Let us look into various aspects of application security that form a stringent part of the Product & Service Guide. 

• Application Engineering

AppZen’s software development processes follow the secure coding standards emerging from the Open Web Application Security Project (OWASP). The software development life cycle includes the development of security requirements and code reviews. Each software build performs a SAST* check using the Spotbugs integrated into the CI process. Engineering teams must address all violations immediately before releasing them to the QA (Quality Assurance) process.

• Securing Coding Practices

AppZen uses an agile development methodology. Development is performed in a development environment, separate and segmented from production, and then moved into test environments for thorough quality assurance reviews. Once the code is approved, it is released into the production environment.

Our development team employs secure coding techniques and best practices described by The Open Web Application Security Project (OWASP).

We also use a peer-review model to ensure the code complies with stated objectives. Essential Security functions, such as authentication and Cross-Site Request Forgery (CSRF) protection, are contained in shared code libraries that multiple teams can reuse.

Additionally, AppZen’s application security team is tightly integrated with the development process to ensure secure coding practices are being followed. The team has implemented security tooling to provide a secure software build and deployment of the Bug Bounty Program. AppZen maintains a private, invitation-only bug bounty program with a team of security researchers examining our application for vulnerabilities.

F. Cloud, Network, and Systems

Let us look into various aspects of cloud, network, and systems that form a stringent part of the Product & Service Guide. 

• Cloud Security

AppZen heavily leverages AWS for our cloud infrastructure. We use services spanning computers, storage, and networking from AWS, including managed versions of open-source software.

• Network Security

AppZen’s information systems and technical infrastructure are hosted on AWS US (Virginia) and EU (Ireland) data centers. We have chosen to host providers that adhere to security and technical best practices while supporting a carrier-neutral infrastructure. Physical security controls at our data centers include 24×7 monitoring, cameras, visitor logs, and entry requirements.

Hosting facilities also feature environmental controls and redundant power and connectivity systems (such as uninterrupted power supply and on-site generators).

AppZen will ensure that they provide secure networking to all the infrastructure on which the application is hosted. Since the AppZen infrastructure is wholly hosted in AWS, both AppZen and AWS will be responsible for providing network security. AWS provides protection, such as the AWS shield, to prevent DDoS attacks.

All authorized AppZen employees and contractors with remote access privileges must connect to AppZen-controlled resources from an authorized computer using the approved VPN. Additionally, all such users must authenticate via the approved two-factor authentication method.

• Vulnerability Scans and Patching

AppZen invests significantly in information security operations, including ongoing vulnerability management, metrics management, and audits of the environment.

Vulnerability scanning of the network's attached assets and web-based services is performed on a scheduled basis to identify potential environmental threats.

We use scanning tools with a current and extensive library of threats to ensure our environment remains free from significant vulnerabilities. The ISMS* Committee of AppZen executives oversees the results of the related threat remediation process.

• Operational Security

Metric management includes the performance, capacity, and cost management of AppZen production operations. We employ ElasticSearch, AWS CloudWatch, and Cloud Health technologies to collect and assess these metrics. In addition, we employ Zendesk to filter and prioritize alerts from these sources and ensure a timely reaction to any asset nearing the established capacity or performance limits.

A third party is engaged annually to perform comprehensive security audits of all AppZen security operations. Penetration tests are also scheduled annually to validate the enclave boundary controls surrounding the production environment. These third-party insights enable AppZen to remediate any threat that may have developed over the past year and evolve our technology base.

• System Security

Employees can only access the AppZen corporate network with company-issued and maintained assets. By default, all computers issued are running management software, have up-to-date antivirus protection, and are fully encrypted. Mobile devices are not permitted to connect to the AppZen production network.

F. Administrative and Organizational Security

Let us examine various aspects of cloud, network, and systems that are a stringent part of the Product & Service Guide. 

• Information Security Organization

Information Security Management System (ISMS) provides organizations with oversight of business-related controls. The ISMS Committee membership includes all company executives to ensure thorough collaboration of all aspects of information security management. This executive team provides visibility to the ongoing information security status, incidents, risks, audits, and other activities required to secure our customers' information fully.

• Security Team

AppZen has a dedicated Trust & Security organization focusing on application, network, and system security. This team is also responsible for security compliance, education, and incident response. It reports directly to the Chief Information Security Officer (CISO) and works closely with the legal and operations teams.

• Security Incident Response Team

AppZen’s Trust & Security team leads a trained Incident Response Team (IRT), which includes members of all integral functions across the business. This cross-functional IRT conducts tabletop sessions regularly and maintains a well-defined, organized approach for handling any potential threat to the information on AppZen systems, computers, and data or supplier/vendor, partner, or affiliate systems.

• Human Resources

AppZen’s HR group is involved in information security in several areas. Relevant laws, regulations, and ethics require background verification checks on all potential employees. Employment contracts state the organization's and employees' responsibilities related to information security.

HR ensures all employees and contractors receive appropriate awareness, education, and training and regular updates in organizational policies and procedures relevant to their job function. Upon termination, Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor and enforced.

G. Certification and Compliance 

Let us look into various aspects of certification and compliance that form an integral part of the Product & Service Guide. 

• Regulatory Compliance & Standard 

Let us look into the common regulatory compliance & standards that AppZen follows: