Syncron’s Security, Privacy and Compliance Ecosystem
“Defense in Depth” with a layered approach to security at:
- Network (network segregation, firewalls, proxy servers and filtering)
- Host (server hardening, patch management, vulnerability management)
- Application (role-based access control, strong authentication, audit logging)
- Data (encryption, integrity monitoring, malware protection)
- Physical (ISO-certified, SOC2 audited data centers)
Native Security Functions
✓ Authentication through configurabe policies for strong passwords as well as support for single sign-on via SAML 2.0.
✓ Access Control via role-based permissions that can be set to individual’s need to know.
✓ Encryption, both in transit and at rest. All access to Syncron SaaS instances is encrypted via “high” security ciphers and the TLS protocol. The option to encrypt data stored in customer database instance using 256bit AES encryption protocol
✓ Audit Logging and Monitoring. Audit logging is enabled for sensitive events and entities by default such as logins, admin activity, user, role, permission, etc. Configurable for other entities.
✓ High Availability with redundant systems and an uptime service level promise of 99,5%. Two live copies of databases store data in separate datacenters, with automated failover.
✓ Single-tenant architecture. A private cloud, dedicated to your company. IP whitelisting available to restrict access to the application.
Your Privacy Respected
✓ Choice of datacenter location. Your Syncron instance can be hosted in the EU or in the USA depending on customer preference. Your data never leaves the region where the application is located.
✓ Compliance with Data Protection Regulations. Syncron supports its customers’ compliance with European and North American data privacy regulations via selective data location and data protection agreements.
✓ GDPR-ready. Syncron perceives this regulation as an important step forward in enhancing individuals’ data privacy and streamlining data protection laws across the EU. Syncron is committed to compliance with the GDPR across its cloud services when enforcement begins on May 25, 2018.
✓ Full data ownership. Customer data is owned by the customer and can be removed by the customer at any time.
✓ No data retention beyond contracted service. Upon termination of the contract, all customer data deleted securely from Syncron systems. All hardware goes through a decommissioning process described in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88(“Guidelines for Media Sanitization”).
✓ No Advertising. We do not scan your data for building analytics, data-mining or advertising.
Certified Information Security. Syncron’s information security management system is ISO27001:2013 certified for the development, acquisition, maintenance and operation of its cloud services offered in a SaaS model.
Transparent Security Controls. Syncron has been listed in the Cloud Security Association (CSA) Security, Trust and Assurance Registry (STAR); this public registry allows for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.
Enterprise-Ready rated. Syncron has been awarded the “enterprise-ready” rating by the CloudTrust program bestowed on cloud services that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
G-Cloud UK Government Standards. The G-Cloud Framework enables public bodies to procure commodity-based, pay-as-you-go cloud services on government-approved short-term contracts through an online catalog called the Digital Marketplace. As a G-Cloud supplier for the UK public sector, Syncron offers services pursuant to the G-Cloud procurement process.
Tested and Verified.
Trusted Third-Party Data Centers.Syncron utilizes the Amazon Web Services infrastructure for it’s cloud service. The AWS infrastructure carries ISO27001 certification and SOC1/2/3 attestation among other industry certifications, alignments and frameworks.
Penetration Tested.Annual penetration tests are performed by independent 3rd parties to verify the security of both the infrastructure and the application.
Continuous Monitoring. Weekly network scans run against the entire public IP range to test open ports and running services. Quarterly internal and external vulnerability scans performed against Syncron systems.
Last updated September 2019.