Security

Our client's' Information security has stood out as paramount importance to us.

Certifications & Memberships

We are a member firm of Institute of Chartered Accountants in England & Wales (ICAEW)
Our operations as well as hosting environment is SSAE18 SOC I & SOC III certified.
Our datacentre is ISO 27001 (Information Security Management Systemsdiscuss.
Global Data Protection Regulation (GDPR) compliant

Encryption of Data in Transit (Network Security)

Our Systems use the strongest encryption products to protect customer data and communications. The web interface of systems incorporate the Transport Layer Security (TLS) protocols. TLS is worldwide Web Standard for protecting critical data and is used by banks, brokerages and others to protect their client's' data.

This protocol provides data security by encrypting it as it transmitted between our application server and the browser hosted on user’s computers. During use, the lock icon in the browser, along with URL indicates that data is fully protected from access while in transit.

Encryption of Data at Rest (Database Security)

The Client database is only accessible through the application. Application Access to the data is highly protected and only Application credentials allow to access client's data. There is no other mean to access data without application. However, in limited circumstances access to database can be given to system development and maintenance team. Such access is always secure and minimum rights are given to them to access the data.

All sensitive information is encrypted through Two-Way encryption algorithm i.e Advanced Encryption Standard (AES) whereas login credentials like password, PIN etc are encrypted with One-Way Encryption Algorithm i.e. SHA1.

Data Backups

An offsite full backup of Production database is taken each day. Our database backup policy requires database backups and transaction logs to be collected so that a database can be recovered with the loss of as few committed transactions as is commercially practicable.

Database backups of systems that implement interfaces must be available as long as necessary to support the interfacing systems. This period will vary by system.

Disaster Recovery

Promenics has recovery time objective (RTO) of 24 hours and a recovery point objective (RPO) of maximum 24 hour. The RTO is measured from the time the Promenics Production Service becomes unavailable until it is available again. The RPO is measured from the time the first transaction is lost until the Promenics Production Service became unavailable.

Authentication

Administrator has the right to set up different authentication requirements for different user populations including:

Strength of Password
Password expiry period
Change password upon first login
Special character to include in password
Restrict to use previously used password until defined resets
Multifactor Authentication
System lockout policy after failed login attempts
Show last login status
Session time-out policy

Physical Security

Control Activities are jointly exercised by Promenics and System & Database Hosting Provider. Promenics has partnered with Rackspace (www.rackspace.com), an award-winning world's leading specialist in the hosting and cloud computing industry. Promenics manages the Systems backups, releases, upgrades and database management, and Rackspace provides the environment, security, redundant power lines and high bandwidth solution access through the internet. Rack space delivers enterprise-level hosting services around the world and serving more than 130,000 customers, including over 110,000 cloud computing customers. Rackspace data centers adhere to the strictest physical security measures:

Multiple layers of authentication are required before access is granted to the server area.
Critical areas require two-factor biometric authentication.
Camera surveillance systems are located at critical internal and external entry points.
Security personnel monitor the data centers 24/7.
Unauthorized access attempts are logged and monitored by data center security.
All physical access to the data centers is highly restricted and stringently regulated.

Authorization

Customer-configurable security groups are based on users, roles, jobs, organizations, location hierarchy, or business sites. The Promenics application enforces group policy-based security for authorization.

The application prevents any user from directly accessing the production database. Created security groups, combined with predefined security policies, grant or restrict user access to functionality, business processes, reports, and data—whether accessed online or through web services.

Auditing and Logging

System tracks all changes to business data at the application level. This application audit information is the basis for audit and compliance reporting found throughout the system. System records include successful & unsuccessful logins as well as any changes in information as to what changes are made and who made those changes through a specified login account.

This enables customers to obtain a complete audit trail and provide an auditor with the information required to trace the history of changes

Single Sign-on Support

Promenics uses SAML for SSO which takes the next step by enabling an enterprise SSO environment. SAML allows for a seamless SSO experience between the customer’s internal identity and access management (IAM) solution and Promenics Systems.

Access

Promenics has incorporated the concept of Role Based Access Control (RBAC) which allows System Administrator to grant permission to roles and assign roles to users. Permission include; add, update, view, delete etc. Each user is assigned one or more roles.

Only those capabilities which have been granted to the specific role are made available to users. Users that have not been assigned specific roles are not aware that other capabilities even exist in the system.

Data Segregation

We provide different hosting options to our client's to choose one from, including:

Dedicated Server with client only instance of application
Shared cloud with client only instance of application
Multi-tenant application, or
Client can specify their recommended structure

In normal circumstances we recommend Multi-tenant option which is secure and beneficial. Promenics System is a multi-tenant SaaS application. Multi-tenancy is a key feature of our application that enables multiple customers to share one physical instance of the Promenics system while isolating each customer tenant’s application data.

Every user ID is associated with exactly one tenant, which is then used to access the Promenics application. All instances of application objects (such as Organization and Worker) are tenant-based, so every time a new object is created, that object is also irrevocably linked to the user’s tenant. The Promenics system maintains these links automatically and restricts access to every object, based on the user ID and tenant. When a user requests data, the system automatically applies a tenancy filter to ensure that it retrieves only information corresponding to the user’s tenant.

Vulnerability assessments

Vulnerability assessments and penetration testing of the system are also evaluated and conducted on a regular basis by both internal Promenics resources and external third-party vendors.