Sestek Cloud Security Statement

Overview

Sestek SaaS Platform is hosted and delivered by Amazon Web Services (AWS). Amazon is responsible for the security of its actual data centers and the AWS cloud. This includes the physical security of its data centers, security and maintenance of the hardware and software of infrastructure, and security of the networks that connect the infrastructure.
Sestek is responsible for security of applications, data, and operating systems that run on the AWS infrastructure. This includes tasks such as securing your data in transit and at rest, configuring and maintaining the security of operating systems and applications, and implementing access controls for resources.
You can have a general overview of AWS services from this video.

Facilities

AWS manages the data centers that host the Sestek SaaS Platform. For more information about security at those data centers, see here

Sestek SaaS platform is currently hosted in AWS Paris (eu-west-3), Ohio (us-east-2), London (eu-west-2) and UAE (me-central-1) regions. Sestek SaaS Platform is planned to be hosted in several AWS regions worldwide.

Infrastructure

Sestek SaaS Platform uses AZs (Availability Zone) which are geographical locations engineered to be insulated from failures in other AZs. Each AZ consists of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. Dedicated fiber lines connect AZs so that normal connectivity has very low latency and AZ outages are detectable in seconds. All Sestek SaaS Platform hosted services are deployed into multiple AZs making them tolerant in the event of a data center or even an entire AZ failure.

Sestek SaaS Platform uses Application Load Balancers (ALBs) to route internal and external traffic to healthy servers. ALBs are clusters of managed services that run in multiple availability zones (AZs). ALBs load balance HTTP requests across multiple AZs, backend Elastic Compute Cloud (EC2) instances. When the ALB detects that a backend instance is either at capacity or has failed, it routes traffic to other instances in seconds to compensate. Both Sestek SaaS Platform’s public APIs and backend instances are fronted by ALBs. Amazon ALB is designed for up to 99.95% availability and is backed by the Amazon ALB service level agreement.

Sestek SaaS Platform uses Amazon Simple Storage Service (S3) providing a durable infrastructure to store important data and is designed to deliver eleven 9s of durability. Your data is redundantly stored across multiple facilities and multiple devices in each facility. Amazon S3 is designed for up to 99.9999999% availability of objects over a year and is backed by the Amazon S3 service level agreement. This ensures that the service is reliable.

Certification

Amazon Web Services manages the security of the cloud. AWS has been certified by third-party organizations and manages many compliance programs to comply with laws and regulations. A list of such certifications and compliance statements can be found here.

AWS has a public SOC 3 report on Security, Availability & Confidentiality (pdf)
Sestek has ISO 27001 and SOC2 ( Type 2 Report) certifications. HIPAA and PCI DSS compliances are expected to be achieved very soon.

People and Access

Within Sestek, only a few trusted members of our Cloud Team have access to the production environment for the purposes of maintaining Sestek SaaS Platform and assisting our customers. Additionally, we monitor all access to Sestek Cloud.

Customers are responsible to maintain the security of their own user accounts. This includes keeping the login information, such as their username and password, confidential and not sharing them with anyone else.

Data Security

In Sestek SaaS Platform, data at rest is encrypted with AES-256 standard. All sensitive customer data is encrypted, logically segregated and segmented in a multi-tenant architecture. These measures offer the best assurances that customer data is safe from unauthorized access and limit the risk of data being compromised in any meaningful manner while protecting the privacy, control, and autonomy of each customer’s data independently from any other. Additionally, all communications with Sestek SaaS Platform are protected with HTTPS protocol using TLS Version 1.2 and within the Cloud with VPN network connections.

For data security, AWS security services are used to prevent any data breaches. Network firewalls, WAF, S3 Protection, EKS Protection, RDS protection, malware protection are in place. All the suspicious activities are monitored and alerted by AWS CloudWatch service. AWS Foundational Security Best Practices v1.0.0 are applied continuously.

Data Retention

Sestek provides a feature that lets you determine your own data retention policy for your data. In case you leave our service, one month later your data is moved into a secure storage archive and removed from production database. As a part of our effort of not storing unnecessary data too long the data is then removed from the archive when six months has passed from leaving our service. If you return within six months later to Sestek your archived data is restored as it was but if not, the data is removed from the archive also.

Data Backup

On a regular basis, Sestek performs system backups to back up application files, database files, and storage files. All backup files are subject to the privacy controls in practice at Sestek.
Customer data is backed up for every 5 minutes and is encrypted following industry standards. Backup lifetime is 16 days. The restore procedures are tested on an ongoing basis to ensure rapid restoration in case of data loss. In case of any data loss, RPO is planned to be 15 minutes and RTO is 3 hours.

Endpoint Protection

All critical infrastructure sources such as virtual servers, elastic kubernetes clusters, storage buckets and relational database systems are protected by AWS GuardDuty service. There is also malware protection in this scope.

Network Security

AWS Firewalls: Applications in the hosting and cloud have firewalls installed to shield them from attack and prevent the loss of valuable customer data. The firewalls are configured to serve as perimeter and internal firewalls to block ports and protocols. Firewall also provides Intrusion Detection and Prevention security infrastructure.

AWS DDoS Protection: AWS DDoS protection provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
All our infrastructure elements are using a centralized NTP and time synchronized.

Application Security

1. Development Life Cycle and Maintenance
Sestek implements several practices to keep each stage of the software development life cycle secure. These include:

Planning – During the planning stage, Product Management submits a report specifying the product’s security requirements.
The report includes the security requirements covering all of the solution components, such as the application, the database, and the client side. To manage security issues optimally, Sestek uses various methods, such as access control, auditing, and monitoring.

Design and Development – Product Management verifies that the design and development of the product are based on Sestek security guidelines. Other security issues are addressed by an additional security-gap requirements document. The security code review is tested on security-sensitive parts of the application.

Implementation, Testing, and Documentation – Unit, integration, and system testing confirm that security requirements are properly implemented. The requirements are documented and become standard policy.

Deployment and Maintenance – Sestek Cloud Team is responsible for identifying, managing, and minimizing security vulnerabilities. Sestek also performs annual penetration tests or security reviews.

2. AWS Web Application Firewall
It helps to protect web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. AWS WAF gives control over how traffic reaches Sestek SaaS Platform by enabling to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting.

3. Change Management
In order to prevent an unauthorized change in the cloud environment, and maintain the high level of service to customers, Sestek has implemented change management procedures so that all activities are recorded, documented, scheduled, and approved. Every change in Sestek SaaS platform must follow the following procedure:
• Planning stage – document, test procedure
• Approved cycle of the procedures, at least 4 eyes approval principle
• Coordination and notifications
• Execution in maintenance time
• Documentation

4. Access Control
The following items are relevant for access control:
Access control – Access to the infrastructure is limited, based on role and responsibility and is only available to Support and Professional Services for maintaining and supporting customers.

Authentication – Sestek also enforces a strict role-based password policy that applies to both layers - the operational team members and the application's users. Passwords are stored in an encrypted form, using a one-way encryption method based on an industry-standard hash algorithm. Only the application is able to compare the hashed and entered passwords.

Authorization and Privacy – Multi-tenancy and shared resources are basic characteristics of SaaS architecture. Resources, such as storage, and networks are shared between users. Strict data isolation is applied in the application to all layers of the application. Data isolation will be defined based on either shared resources using firewall rules for network isolation, separate databases for database isolation and separate files and permissions for files sharing isolation.

Asset Management

The following items are relevant for asset management:

Incident Management – NIST defines a computer security incident as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” To handle security incidents effectively, Sestek has constructed incident response and notification procedures. Sestek employs a cloud team that responds to security incidents and mitigates risks. The team uses monitoring and tracking tools. Additionally, the team has clear procedures in place for communicating the incidents to any involved party and for handling escalations.

Personnel Security – Sestek understands that the malicious activities of an insider could have an impact on the confidentiality, integrity, and availability of all types of data and has therefore formulated policies and procedures concerning the hiring of IT administrators or others with system access. Sestek has also formulated policies and procedures for the ongoing periodic evaluation of IT administrators or others with system access. User permissions are updated and adjusted so that when a user's job no longer involves infrastructure management, the user's console access rights are immediately revoked.

Background Checks – Once a candidate has been offered a job with Sestek and before he or she begins employment, we conduct a background check. For all background checks and reference checks we receive a release from the candidate prior to starting the screening process.

We use a third party to conduct our background checks. The standard check includes S.C check, criminal history, employment verification, and reference checks. Any additional checks are conducted based on business needs.

Privacy

SESTEK understands the importance of ensuring the privacy of your personally identifiable information. For more information, please see our Privacy Policy.