Privacy and Data Handling
AppZen’s policies and practices are compliant with EU GDPR. For clients in the EU region, AppZen provisions the EU region data centers, and the data is strictly contained within the EU AWS data centers. AppZen also employs policy to collect only minimal necessary PII and uses it only for agreed-upon purposes.
Individuals have certain rights and may make certain choices regarding AppZen’s processing of their personal information.
Please note that if the exercise of these rights limits our ability to process personal information, we may be precluded from providing our products or services to individuals who exercise these rights, or from otherwise engaging with such individuals going forward.
We reserve the right to verify the identity of the individual in connection with any requests regarding personal information to help ensure that we provide the information to individuals to whom the information pertains and allow only those individuals or their authorized representatives to exercise rights concerning that information.
You can make choices about AppZen’s collection and use of your data.
How you can access or control your personal data will depend on which Sites or Services you can use.
AppZen takes prudent steps to safeguard the confidentiality and security of all personal data including taking procedural and organizational steps to protect personal data from accidental or unlawful destruction. These steps include entering into written agreements with all its vendors, subcontractors who process personal data.
In addition, AppZen strives to protect personally identifiable information that it maintains or disseminates so it is not obtained by unauthorized individuals or used in unauthorized ways, including through the use of appropriate administrative, physical, and technical safeguards.
2.0 Security controls
Secure in-transit communications
The encryption occurs on the servers that host EC2 instances, providing encryption of data-in-transit from EC2 instances to EBS storage. Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and any snapshots created from them. Please note that in reference to CMK, AppZen is the customer to AWS and hence it is implied that there is only one key for all AppZen’s multi-tenant customers.
User authentication is based on an email address or AppZen provided ID. It supports SAML-based authentication with single-sign-on.
AppZen Customers, authenticating against their company's IDP using OKTA and authorization via AppZen's authorization centers.
All AppZen personnel are provided with one unique user account to identify and authenticate into any company resources. This is achieved by utilizing the G Suite Single Sign-On functionality and JumpCloud integration.
Logging and Audit Trails
AppZen regularly reviews server logs provided by Amazon EC2– log files are invaluable in detecting and tracking attempted intrusions and other suspicious activity. All security-related events on critical or sensitive systems are logged and audit trails saved to the Syslog servers.
Data Storage and Encryption
AppZen’s customers can rest assured that their data at rest is encrypted. This encryption uses AWS encryption services and related key management technology. Amazon EBS encryption offers the following types of data encrypted:
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
AWS encryption is supported with all its EBS volume types (file systems) and databases. AppZen maintains sha256 with RSA encryption for all information in transit to web applications. AppZen only supports TLS 1.2 or later for encrypting data in motion. The earlier versions of TLS 1.0 and TLS1.1 have been globally disabled.
Access control is a cornerstone of AppZen information technology management. We adhere to the minimum access standards across the company. Users are only provided with access to the network and network services that they have been specifically authorized to use. This access is reviewed quarterly to ensure privileges remain pertinent to their accountabilities.
AppZen has formal user registration and de-registration process to enable the assignment of access rights. This process assures that management is held accountable for all access approved and that the distribution of privileges is appropriate. Changes in job status and/or termination will trigger a review of access to make the appropriate adjustments. User roles adhere to Segregation of Duties (SoD).
AppZen sustains secure logon procedures compliant with NIST 800-53 standards. This includes mandatory multi-factor authentication for access to the production environment and the minimal standards for password complexity and is configured to use the SSO using SAML2.0.
3.0 Business Continuity
AppZen manages business continuity on two levels. The initial level is operational continuity where we take every action feasible to harden the production environment. These provisions lower the risk of an actual disaster where more drastic measures are required. The second level is traditional Disaster Recovery to completely rebuild the production environment.
AppZen infrastructure supports High Availability (HA) of database and application resources that are in a redundant configuration across two AWS data centers within a 50-mile radius. Should resources at one data center become unavailable, redundant resources at the secondary data center will assume operation and sustain uninterrupted service.
Our Disaster Recovery (RD) plans were developed to be ISO/IEC 27001 and NIST 800-53 compliant. Our Recovery Time Objective (RTO) is set at 24 hours. Should the primary data center be completely put out of action, we should have services returned to operations within 24 hours. The Recovery Point Objective (RPO) is set at 15 minutes to match the automated backup clock keeping pace with our production operations. This means that even though the recreation of the production environment may take hours, the amount of transaction(s) lost will never exceed 15 minutes. The DR plan is tested on an annual basis and reviewed by the ISMS Committee and the external auditors.
AppZen will purge the customer's data from its infrastructure within 90 days of the service termination and if a formal request has not been made by the customer to purge their data.
AppZen has defined a process for customers to formally request the deletion of their data using the AppZen Support portal as described in the Right to Erasure documentation. And will notify the customer of the completion of the task within 2 weeks of receiving their notification.
AppZen will make no assurance of deletion of data from all backups at the time of receiving such purge notice but will make a reasonable effort to explain that customer's data will be removed in time due to the expiration of backup or artifacts in the cloud.
4.0 Policies and Procedures
Information Security Policies
AppZen maintains a comprehensive set of information technology policies that are updated and communicated throughout the company on an annual basis. These policies are also audited annually as part of the ISO/IEC 27001 certification management.
These policies include:
- Information Security Program
- Acceptable Use Policy
- Access Control Policy
- Physical Security Policy
- Anti-Virus Software Policy
- Backup and Retention Policy
- Operational & Software Development Change Management Policy
- Password Policy
- Database Password Policy
- Incident Handling Policy
- Incident Response Guidelines
- Information and Data Classification Policy
- Media Disposition Policy
- Removable Media Policy
- Risk Assessment Policy
- Server Documentation Policy
- Server Security Policy
- Source Code Control Policy
- Telecommute Policy
- Teleconference Recording Policy
- Clear Desk and Clear Screen Policy
- Patch Management Policy
- Email Policy
- Suppliers Security Policy
- Encryption and Cryptographic Control Policy
- Internal Audit Policy
- Compliance Policy
- Data Protection Policy
- Data Retention Policy (Legal Hold Policy)
Incident Response Plans and Breach Notification
Information Security Incidents can range from a potential breach attempt to a simple violation of our security policies. All employees are trained on the incident reporting process to ensure that any security-related event at the company is reported and acted upon in a timely manner. The Chief Information Officer and Chief Technology Officer are the immediate recipients of incident reports with the full ISMS Committee maintaining additional oversight.
AppZen maintains strict change control processes including all production releases and changes. We maintain tight guidelines, processes built into our day-to-day workflow, and reporting that allows for proper checks and balances, all of which maintain our end-user experience and security standards.
The AppZen risk management process aims to promptly identify, evaluate and treat any potential risk that could affect the business and assets of the company. AppZen leverages a combination of industry-standard risk management practices to evaluate information security-related risks.
Review and User of Third-Party Service Providers
We work with several third-party providers that help us provide our services to customers, including email service providers and cloud providers. We enter into confidentiality and data processing terms with each of these partners to ensure they comply with high levels of confidentiality and best practices in privacy and security standards, and we regularly review these standards and practices.
5.0 Application Security
AppZen’s software development processes follow the security coding standards emerging from the Open Web Application Security Project (OWASP). The software development life cycle includes the development of security requirements and code reviews. Each software build goes through a SAST check using the Spotbugs which is integrated into the CI process. Engineering teams are required to address all violations immediately before releasing them to the QA process.
Securing Coding Practices
AppZen uses an agile development methodology.
Development is performed in a development environment, which is separate and segmented from production, and then moved into test environments for thorough quality assurance reviews. Once the code is approved, it is then released into the production environment.
Our development team employs secure coding techniques and best practices that are described by The Open Web Application Security Project (OWASP). We also use a peer-review model to ensure code complies with stated objectives. Important security functions, such as authentication and Cross-Site Request Forgery (CSRF) protection, are contained in shared code libraries that can be reused by multiple teams.
Additionally, AppZen’s application security team is tightly integrated with the development process to ensure secure coding practices are being followed. The team has implemented security tooling to ensure a secure software build and deployment.
Bug Bounty Program
AppZen maintains a private, invitation-only bug bounty program with a team of security researchers examining our application for vulnerabilities.
6.0 Cloud, Network and Systems & Operational
AppZen heavily leverages AWS for our cloud infrastructure. We use services spanning computers, storage, and networking from AWS including managed versions of open-source software.
AppZen’s information systems and technical infrastructure is hosted on AWS US and Ireland data centers. We have carefully chosen hosting providers that adhere to security and technical best practices while supporting a carrier-neutral infrastructure. Physical security controls at our data centers include 24×7 monitoring, cameras, visitor logs, and entry requirements.
Hosting facilities also feature environmental controls and redundant power and connectivity systems (such as uninterrupted power supply and on-site generators).
AppZen will ensure that they provide secure networking to all the infrastructure on which the application is hosted. Since the AppZen infrastructure is wholly hosted in AWS, both AppZen and AWS will have a shared responsibility to provide network security. AWS is responsible for providing protection, such as the AWS shield to prevent DDoS attacks.
All authorized AppZen employees and contractors with remote access privileges are required to connect to AppZen -controlled resources from an authorized computer using the approved VPN. Additionally, all such users are required to authenticate via the approved two-factor authentication method.
Vulnerability Scans and Patching
AppZen invests significantly in information security operations including the ongoing vulnerability management, metric management and audits of the environment. Vulnerability scanning of both networks attached assets and web-based services are performed on a scheduled basis to identify potential threats to the environment. We use the Qualys scanning tools with a current and extensive library of threats to ensure our environment remains free from significant vulnerabilities. The ISMS Committee of AppZen executives oversee the results of the related threat remediation process.
Metric management includes the performance, capacity, and cost management of AppZen production operations. We employ ElasticSearch, AWS CloudWatch, and Cloud Health technologies to collect and assess these metrics. In addition, we employ Zendesk to filter and prioritize alerts from these sources and ensure the timely reaction to any asset nearing the established capacity or performance limits.
A third-party is engaged on an annual basis to perform comprehensive security audits of all AppZen security operations. Penetration tests are also scheduled on an annual basis to validate the enclave boundary controls surrounding the production environment. These third-party insights are essential to enable AppZen to remediate any threat that may have developed over the past year along with the evolution of our technology base.
Employees are only permitted to access the AppZen corporate network with company-issued and maintained assets. All computers issued by default are running management software, up-to-date antivirus protection, and are fully encrypted. Mobile devices are not permitted to connect to the AppZen production network.
7.0 Administrative and Organizational Security
Information Security Organization
Management System (ISMS) to provide organization and oversight of the company’s related controls. The ISMS Committee membership includes all executives of the company to ensure thorough collaboration of all aspects of information security management. This executive team is provided visibility to the ongoing information security status, incidents, risks, audits, and other activities required to fully secure our customer’s information
AppZen has a dedicated Trust & Security organization, which focuses on application, network, and system security. This team is also responsible for security compliance, education, and incident response. The team reports directly to the Chief Information Security Officer (CISO) and works closely with the legal and operations team.
Security Incident Response Team
AppZen’s Trust & Security team leads a trained Incident Response Team (IRT), which includes members of all integral functions across the business. This cross-functional IRT conducts tabletop sessions regularly and maintains a well-defined, organized approach for handling any potential threat to the information on AppZen systems, computers, and data, or on supplier/vendor, partner, or affiliate systems.
AppZen’s HR group is involved in information security in several areas. Background verification checks on all candidates for employment are carried out in accordance with relevant laws, regulations, and ethics. Employment contracts state their and the organization’s responsibilities related to information security.
HR ensures all employees of the organization and contractors receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. Upon termination, Information security responsibilities and duties that remain valid after termination or change of employment are defined, communicated to the employee or contractor, and enforced.
8.0 Certification and Compliance
Regulatory Compliance & Standards
AppZen is assessed for compliance against ISO/IEC 27001:2013 standard by an ANAB-accredited certification body annually. AppZen is an ISO/IEC 27001:2013 certified organization since 2017.
SOC 1 Type 2 & SOC 2 Type 2
AppZen is assessed for SOC 1 Type 2 & SOC 2 Type 2 compliances by a Certified Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA). AppZen is a SOC-compliant organization since 2017.
Public Accountant (CPA) designated by the American Institute of Certified Public Accountants (AICPA). AppZen is a SOC-compliant organization since 2017.
AppZen complies with GDPR regulations to protect the personal data and privacy of EU citizens.
VERSION: October 14.2021