Syncron’s Security, Privacy and Compliance Ecosystem
Security Overview
“Defense in Depth” with a layered approach to security at:
- Network (network segregation, firewalls, proxy servers and filtering)
- Host (server hardening, patch management, vulnerability management)
- Application (role-based access control, strong authentication, audit logging)
- Data (encryption, integrity monitoring, malware protection)
- Physical (ISO-certified, SOC2 audited data centers)
Native Security Functions
✓ Authentication through configurabe policies for strong passwords as well as support for single sign-on via SAML 2.0.
✓ Access Control via role-based permissions that can be set to individual’s need to know.
✓ Encryption, both in transit and at rest. All access to Syncron SaaS instances is encrypted via “high” security ciphers and the TLS protocol. The option to encrypt data stored in customer database instance using 256bit AES encryption protocol
✓ Audit Logging and Monitoring. Audit logging is enabled for sensitive events and entities by default such as logins, admin activity, user, role, permission, etc. Configurable for other entities.
✓ High Availability with redundant systems and an uptime service level promise of 99,5%. Two live copies of databases store data in separate datacenters, with automated failover.
Your Privacy Respected
✓ Choice of datacenter location. Your Syncron instance can be hosted in the EU, Asia-Pacific, or in the USA depending on customer preference. Your data never leaves the region where the application is located.
✓ Compliance with Data Protection Regulations. Syncron supports its customers’ compliance with European and North American data privacy regulations via selective data location and data protection agreements.
✓ GDPR-ready. Syncron perceives this regulation as an important step forward in enhancing individuals’ data privacy and streamlining data protection laws across the EU. Syncron is committed to compliance with the GDPR across its cloud services when enforcement begins on May 25, 2018.
✓ Full data ownership. Customer data is owned by the customer and can be removed by the customer at any time.
✓ No data retention beyond contracted service. Upon termination of the contract, all customer data deleted securely from Syncron systems. All hardware goes through a decommissioning process described in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88(“Guidelines for Media Sanitization”).
✓ No Advertising. We do not scan your data for building analytics, data-mining or advertising.
Compliance, Assured.
SOC 2 Compliance. Syncron System and Organization Controls (SOC) 2 Type II Report on security, availability and confidentiality is an independent third-party examination that demonstrates how Syncron achieves key compliance controls and objectives. The purpose of this report is to help our customers and their auditors understand the Syncron controls established to support their operations and compliance. Full report is available to Syncron customers by request.
Certified Information Security. Syncron’s information security management system is ISO27001 certified for the development, acquisition, maintenance and operation of its cloud services offered in a SaaS model.
Enterprise-Ready rated. Syncron has been awarded the “enterprise-ready” rating by the CloudTrust program bestowed on cloud services that fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
G-Cloud UK Government Standards. The G-Cloud Framework enables public bodies to procure commodity-based, pay-as-you-go cloud services on government-approved short-term contracts through an online catalog called the Digital Marketplace. As a G-Cloud supplier for the UK public sector, Syncron offers services pursuant to the G-Cloud procurement process.
Tested and Verified.
Trusted Third-Party Data Centers.Syncron utilizes the Amazon Web Services infrastructure for it’s cloud service. The AWS infrastructure carries ISO27001 certification and SOC1/2/3 attestation among other industry certifications, alignments and frameworks.
Penetration Tested.Annual penetration tests are performed by independent 3rd parties to verify the security of both the infrastructure and the application.
Continuous Monitoring. Weekly network scans run against the entire public IP range to test open ports and running services. Quarterly internal and external vulnerability scans performed against Syncron systems.
Last updated August 2020.