At Situm, we want to offer the maximum guarantees of compliance with security and data protection requirements. Security is an integral part of our products, processes and services that we are continuously reviewing to maintain the highest standards of compliance.
Security as a fundamental pillar
Data security is a fundamental pillar when developing our products, processes and services. We approach the design of all functionalities and changes in our architecture with a mindset of:
- Compliance with GDPR guidelines.
- Privacy by design and by default.
- Data gobernance accountability.
- Continuous improvement.
That is why security at Situm is integrated into the day-to-day life of all workers and all improvements to our software, processes and services are always made with security in mind. Our cloud is designed to respond to a multitude of challenges in different industries with different security requirements. In order to meet them, we aim at meeting the highest standards across all industries.
Reliability
Situm Platform is a central part of many business applications and end-customer oriented applications. We understand the importance of reliability in our platform and hence we have put in place a series of measures to ensure it.
- SLA
We aim to provide at least 99.9% of uptime and solve critical requests in a few hours at most. Please read our SLA in Exhibit B of our MSA for more details: https://situm.es/assets/docs/situm-masteragreement.pdf
- Availability and Redundancy
Situm Platform provides high-availability and redundancy by default. Situm services replicas run on multiple nodes with the ability to scale vertically and horizontally.
In addition, to ensure maximum availability, we host our platform and data on Microsoft Azure. Microsoft Azure data centers are designed to provide high availability for the applications they host, and Situm follows Azure the best practices in order to make the most of the capabilities provided by Azure.
- Avoiding data losses: redundant storage and backups
Situm secures all the data in multiple ways to avoid losses.
- Redundant storage. All the data is stored in redundant systems by default.
- Incremental daily backup. Automatic incremental backups of all the data are generated daily.
- Complete weekly copy. In addition to incremental daily backups, a full weekly backup is generated to maximize recoverability.
Backups are encrypted with RSA 4096 asymmetric keys. Backups are kept for 45 days (in case of database information) or 60 days (in case of files, such as images).
- Business continuity and disaster recovery
Ensuring the continuity of our service (and your business) is a key priority at Situm. These are the main elements that help us in minimizing the impact of any eventuality:
- Continuous logging and monitoring. Situm Platform logs the interactions with its APIs and monitors the network traffic for early trouble detection (with automatic internal alerts).
- Redundant backup storage. Backups are replicated in different Azure geographical regions within Europe in order to avoid a full data/service loss in the (very unlikely) event that a whole Microsoft Azure data center or geographical area fails.
- Restoration & integrity tests. We perform daily, weekly, and quarterly tests (with different level of granularity & detail) to ensure that the restoration procedures work as expected and that the backup data is recoverable.
Product Security
- Encryption and key management
Data encryption is performed at different levels to ensure a complete protection:
- Encryption in transit. We use “Transport Layer Security (TLS) 1.2 or higher” protocol for all communications that go through public networks such as the Internet.
- Encryption at rest. Microsoft Azure provides "Encryption at rest" in all the storage services that we use. In addition, Azure manages the encryption keys automatically, thus helping to avoid potential key leaks.
- Password policy
Situm Platform users' passwords need to have a minimum complexity of 8 alphanumeric characters. We store these passwords properly hashed & encrypted, so it is not possible to recover them. Nevertheless, passwords can be regenerated by email at user request (automatically, without our intervention).
- Client isolation
Different users / clients share the same physical infrastructure, but Situm provides logical isolation between the data of different users / clients. This isolation ensures that actions performed by a certain client will not compromise the data of other clients.
- Vulnerability / incident management
Situm has established an internal incident and vulnerability management policy following the GDPR guidelines. This includes, among other measures, early evaluation of any data breach & communication to affected customers (or to the data protection agency) depending on the severity of the incidents.
Data operations
- Data processed & stored
Please read our GDPR section for a description & list of the data that Situm processes & stores.
- Accessing the client data for maintenance
At Situm, only a few employees have access to client data for maintenance, based on an appropriate segmentation of roles & responsabilities within the company. All employees are required to abide by a corporate password policy that includes, among others, meassurements such as periodic key renewals.
Access to client data is continuously monitored. Non authorized accesses are treated as data breaches. Physical access to data centers is protected by Microsoft security policies & meassurements: https://docs.microsoft.com/es-es/azure/security/fundamentals/physical-security
- Accessing the client data for custommer support
Our Custommer Success team (custommer support) will only access client data if it is strictly necessary to solve a ticket or request raised by the client.
- Data destruction
Situm follows GDPR guidelines for data destruction. More info in our MSA (https://situm.es/assets/docs/situm-masteragreement.pdf).
Privacy and GDPR
Please read our GDPR section for a overview of Situm's Privacy and GDPR policies.