Overview
SESTEK SaaS Platform is hosted and delivered by Huawei Cloud. Huawei is responsible for the security of its actual data centers and the Huawei Cloud. This includes the physical security of its data centers, security and maintenance of the hardware and software of infrastructure, and security of the networks that connect the infrastructure.
SESTEK is responsible for security of applications, data, and operating systems that run on the Huawei Cloud infrastructure. This includes tasks such as securing your data in transit and at rest, configuring and maintaining the security of operating systems and applications, and implementing access controls for resources.
You can have a general overview of Huawei Cloud services from this link ( Products-Huawei Cloud)
Facilities
Huawei Cloud manages the data centers that host the SESTEK SaaS Platform. For more information about general security including datacenter security , please follow up this document. Huawei Cloud Security White Paper
SESTEK SaaS platform is currently hosted in Huawei Cloud Istanbul region.
Infrastructure
Our cloud offerings are hosted in Huawei Cloud, which is a niche public cloud service provider. Huawei Cloud provides a robust global cloud platform that incorporates strong security practices as well as ensuring high availability. Huawei Cloud has many security features designed to protect data and applications, ranging from physical and environmental security through network security to data privacy and security controls.
SESTEK SaaS Platform uses AZs (Availability Zone) which are geographical locations engineered to be insulated from failures in other AZs. Each AZ consists of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. Dedicated fiber lines connect AZs so that normal connectivity has very low latency and AZ outages are detectable in seconds. All SESTEK SaaS Platform hosted services are deployed into multiple AZs making them tolerant in the event of a data center or even an entire AZ failure.
Key features of Huawei Istanbul Region;
- %99.95 High Reliability
- Consists of 3 AZs
- Tier 3+ Certification
- 9-magnitude earthquake resistance
- Neutral DC with best network resource
- Multiple power supply to ensure energy safety. 10MW Total Capacity
- UPS: N+1 Redundancy backup time 10 minutes
- 12-hour standby diesel + fuel supply agreement
- Cooling system: N+1 redundancy
- Standardized emergency response
Certification
Huawei Cloud manages the security of the cloud. Huawei Cloud has been certified by third-party organizations and manages many compliance programs to comply with laws and regulations.
Huawei Cloud Türkiye is the only public cloud complies with Turkish regulations. It enables customer comply with KVKK,BTK and other data privacy and network security Turkish regulations.
SESTEK has ISO 27001, ISO 27017 and ISO 27018 certifications.
People and Access
Within SESTEK, only a few trusted members of our Cloud Team have access to the production environment for the purposes of maintaining SESTEK SaaS Platform and assisting our customers. Additionally, we monitor all access to SESTEK Cloud.
Customers are responsible to maintain the security of their own user accounts. This includes keeping the login information, such as their username and password, confidential and not sharing them with anyone else.
Data Security
In SESTEK SaaS Platform, data at rest is encrypted with AES-256 standard. All sensitive customer data is encrypted, logically segregated and segmented in a multi-tenant architecture. These measures offer the best assurances that customer data is safe from unauthorized access and limit the risk of data being compromised in any meaningful manner while protecting the privacy, control, and autonomy of each customer’s data independently from any other. Additionally, all communications with SESTEK SaaS Platform are protected with HTTPS protocol using TLS Version 1.2 and within the cloud with VPN network connections.
We continuously monitor the changing security landscape of cryptography and cybersecurity to ensure that we offer the best available protections to our customers and their sensitive data.
Data Retention
SESTEK provides a feature that lets you determine your own data retention policy for your data. Data retention period can be decided by customer according to their business needs and legal obligations. There is a defined retention period in our products, and the data of customers who discontinue the service will be deleted in accordance with this period.
Data Backup
On a regular basis, SESTEK performs system backups to back up application files, database files, and storage files. All backup files are subject to the privacy controls in practice at SESTEK.
Customer data is backed up for every 5 minutes and is encrypted following industry standards. Backup lifetime is 16 days. The restore procedures are tested on an ongoing basis to ensure rapid restoration in case of data loss. In case of any data loss, RPO is planned to be 15 minutes and RTO is 3 hours.
Network Security
Our cloud infrastructure implements network security through isolated private network constructs. Traffic is strictly controlled to flow only within defined boundaries and along explicitly permitted paths. Access rules follow the principle of least privilege, with all unspecified or unauthorized connections denied by default. This approach ensures secure and controlled communication both between internal services and with external endpoints.
All our infrastructure elements are using a centralized NTP and time synchronized.
Application Security
1. Development Life Cycle and Maintenance
SESTEK implements several practices to keep each stage of the software development life cycle secure. These include:
Planning – During the planning stage, Product Management submits a report specifying the product’s security requirements.
The report includes the security requirements covering all of the solution components, such as the application, the database, and the client side. To manage security issues optimally, SESTEK uses various methods, such as access control, auditing, and monitoring.
Design and Development – Product Management verifies that the design and development of the product are based on SESTEK security guidelines. Other security issues are addressed by an additional security-gap requirements document. The security code review is tested on security-sensitive parts of the application.
Implementation, Testing, and Documentation – Unit, integration, and system testing confirm that security requirements are properly implemented. The requirements are documented and become standard policy.
Deployment and Maintenance – SESTEK Cloud Team is responsible for identifying, managing, and minimizing security vulnerabilities. SESTEK also performs annual penetration tests or security reviews.
2. Change Management
In order to prevent an unauthorized change in the cloud environment, and maintain the high level of service to customers, SESTEK has implemented change management procedures so that all activities are recorded, documented, scheduled, and approved. Every change in SESTEK SaaS platform must follow the following procedure:
• Planning stage – document, test procedure
• Approved cycle of the procedures, at least 4 eyes approval principle
• Coordination and notifications
• Execution in maintenance time
• Documentation
3. Access Control
The following items are relevant for access control:
Access control – Access to the infrastructure is limited, based on role and responsibility and is only available to Support and Professional Services for maintaining and supporting customers.
Authentication – SESTEK also enforces a strict role-based password policy that applies to both layers - the operational team members and the application's users. Passwords are stored in an encrypted form, using a one-way encryption method based on an industry-standard hash algorithm. Only the application is able to compare the hashed and entered passwords.
Authorization and Privacy – Multi-tenancy and shared resources are basic characteristics of SaaS architecture. Resources, such as storage, and networks are shared between users. Strict data isolation is applied in the application to all layers of the application. Data isolation will be defined based on either shared resources using firewall rules for network isolation, separate databases for database isolation and separate files and permissions for files sharing isolation.
Open-Source Security
We use only widely adopted, actively maintained open-source software that has become an industry standard. Our release process includes CVE scanning, and any release containing a critical vulnerability is blocked. Additionally, our CI/CD pipeline performs daily automated scans and applies fixes, while our automated functional tests ensure that these fixes do not break the software. We continuously monitor the maintenance and security practices of the open-source repositories we rely on, and if we detect poor maintenance or unresolved vulnerabilities, we promptly replace or remove the affected components, as we have done in the past.
Capacity Management
As SaaS provider, our organization monitors the total resource capacity in the infrastructures we serve and implements mechanisms to prevent information security breaches that may arise from insufficient resources. In this context, indicators such as disk occupancy, processor load, network traffic are constantly monitored, and when critical levels are reached, the relevant technical teams are mobilized through automatic notification systems. These measures aim to protect the integrity, accessibility and security of customer data.
Asset Management
The following items are relevant for asset management:
Incident Management – NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” To handle security incidents effectively, SESTEK has constructed incident response and notification procedures. SESTEK employs a cloud team that responds to security incidents and mitigates risks. The team uses monitoring and tracking tools. Additionally, the team has clear procedures in place for communicating the incidents to any involved party and for handling escalations.
Personnel Security – SESTEK understands that the malicious activities of an insider could have an impact on the confidentiality, integrity, and availability of all types of data and has therefore formulated policies and procedures concerning the hiring of IT administrators or others with system access. SESTEK has also formulated policies and procedures for the ongoing periodic evaluation of IT administrators or others with system access. User permissions are updated and adjusted so that when a user's job no longer involves infrastructure management, the user's console access rights are immediately revoked.
Background Checks – Once a candidate has been offered a job with SESTEK and before he or she begins employment, we conduct a background check. For all background checks and reference checks we receive a release from the candidate prior to starting the screening process.
We use a third party to conduct our background checks. The standard check includes S.C check, criminal history, employment verification, and reference checks. Any additional checks are conducted based on business needs.
External Security Audits
We continue to work with respected third-party professional application security monitoring and assessment experts on a regular and periodic basis in an effort to proactively identify any potential vulnerabilities so that we can quickly address those concerns and stay current with the ever changing cybersecurity landscape.
In these engagements, these third-party companies conduct vulnerability and penetration scans amongst a number of additional security reviews such as OWASP identified vulnerabilities and related audits.
Privacy
As SESTEK, we place great importance on the privacy of our customers and the protection of their personal data within scope of the products and services we offer. In the development of our products and services, we closely follow the legal regulations, guidelines issued by relevant authorities and decisions made in the field of personal data protection and act in accordance with them. For more information, please see our Privacy Policy