Physical Security
* All servers and data are placed within the IS/KPN data center, addressed on Kabelweg 48 in Amsterdam.
* Access is maintained by our initial approval. The datacenter requires an ID, fingerprint scans and authorization to access the rack.
* The racks have a physical lock in place.
* All activity is logged and saved with comments.
Management Security
* The management access to servers is closed from the internet. The servers can be accessed physically or with a VPN tunnel.
* Accounts that have access to the internal network can be limited to one network resource or all.
* All activity is logged.
* The Storage on which the VM servers are active, are located on a Rendundant Active / Active cluster (Open-E ZFS Cluster) and contain a three-way mirror.
Data Security
* All Data stored inside the platform is backed up to two independent storage nodes on a daily base (RPO = 1 day, RTO = 2 to 48 hours).
* All media data is replicated to the our Office inside a backup server on two places (RPO = 1day).
* All storage nodes use either Raid6 and/or Raid10 for hard disk redundancy.
Server Security
* Servers that run our software, run in a long term supported version that can be updated quarterly or ad-hoc (if a major incident arises).
* Our security team gets security reports daily for all software versions we run and act on these accordingly.
* We use certificate type Geotrust / RapidSSL v3 SHA256 bit (RSA 2048 bits).
* Certificates that run web services are checked periodically with Qualys SSL labs to have a pass.
* How this will be arranged in the future: Phasing out the old server, so everything runs on the new server.
Software Security
* We provide reports on request by client.
* We use a r&d process that requires two developers with pair programming. They verify their code by the other developer after completion of a task/bug with the scrum method.
* Each change to the code is automatically tested by a thousand tests to ensure quality.
* Periodically, the vulnerability will be scanned with industry standard vulnerability scanning software.
Additional Security
* Full employee criminal background checks are done as part of the extensive interview process.
* The PAM solution contains a complete Audit of who have had access to which system (Thycotic / 4Passwords.com Secret Server).