Infrastructure and Application Security

Table of Contents

Application infrastructure

  • Sumday's digital ecosystem is hosted by Microsoft Azure, a global leader in cloud computing. We prioritise the security of your data and connections to our platform. All information is encrypted, guaranteeing confidentiality and robust protection.
  • Sumday maintains ISO 27001 compliance, assuring that our practices adhere to stringent international standards.
  • Our infrastructure is fortified with advanced defence mechanisms, including intrusion detection and a robust web application firewall.
  • We take your data's safety seriously, conducting regular backups and proactively reviewing security policies and architecture to stay ahead of evolving threats.
  • More information, including our ISO27001 certifications can be made available on request, contact support@sumday.io

Availability

  • We understand that uninterrupted access to our services is crucial to your experience. We are committed to providing reliable and available applications to ensure you can access our platform whenever you need it.
  • Our infrastructure is designed for high availability, leveraging leading cloud computing solutions that enable us to maintain consistent and stable service. We've implemented redundancy and failover mechanisms to minimize downtime and ensure continuity even in the face of unexpected challenges.
  • We actively monitor our applications to identify and resolve any issues swiftly. Our dedicated team works around the clock to ensure that our services are always accessible.
  • In the event that maintenance or updates are required we schedule these during off peak hours and provide ample notice so that there is minimal disruption to you.
  • If your business requires a specific SLA please contact us to discuss.

Access Controls

Sumday access controls are guided by the principle of least privilege and need. These controls apply to critical data and data processing systems at the application and operating system layers, including networks and network services. Sumday employees are only granted the minimum necessary access to perform their job.

Encryption

The information stored on the Sumday platform is carefully protected, with encryption measures applied both at rest and in transit. When the data is at rest, meaning it is stored within the platform's databases, it is encrypted. Similarly, during transit, when the data is being transferred between the client applications and our servers, it is also encrypted.

Encryption at rest

All data, including backups, is encrypted at-rest using AES-256 encryption.

Encryption in transit

Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2.

Secure Sockets Layer

Secure Sockets Layer (SSL) certificates are issued and managed through Azure, and HTTP Strict Transport Security (HSTS) is enabled. We score an A+ rating on Qualys SSL Labs tests.

Operation Security

Capacity Management

  • Critical parameters and their thresholds are monitored for all critical infrastructure elements and software at periodic intervals to ensure required performance levels and availability.
  • Capacity planning takes into account current and projected trends in Sumday’s information-processing capabilities.
  • System monitoring is enabled to ensure and, where necessary, improve the availability and efficiency of our systems. Detective controls like alerts or alarms are in place to indicate problems in due time.

Backups

Sumday follows a backup retention policy that helps balance the need for historical data availability with storage considerations. Weekly backups are retained for one month, monthly backups are retained for one year, and yearly backups are retained for 2 years. This retention strategy allows for efficient recovery options based on specific recovery timeframes. Additionally, point-in-time restore data is kept for up to 7 days, enabling the restoration of data to specific points in time if necessary.

Logging and Monitoring

Infrastructure elements and software used for Sumday’s operations are configured, where feasible, to capture security-relevant logs (e.g. use of privileged accounts like root and administrator accounts, system failures, policy violations, unauthorized access attempts, and logging of firewall traffic).

Control of Operational Software

Sumday does not allow the installation of any other software on our production infrastructure.

Technical Vulnerability Management

Sumday enforces code review processes and uses automated scanning for vulnerabilities in its devops chain to prevent source vulnerabilities, while application vulnerabilities are prevented by applying secure methods by default to all infrastructure, using whitelist/as-needs access policies, and conducting regular automated and full penetration testing. Additionally, vulnerability detection is achieved by enabling Application Insights logging on all public-facing endpoints.

Vendor Management

Sumday utilizes various third-party vendors to ensure the smooth operation of its services, with some being crucial for maintaining security and continuous service delivery. A systematic approach is adopted when sharing critical data with these vendors, which includes regular reviews of their performance and safety measures. This process involves confirming the availability of a contact point should service interruptions occur, verifying the vendors' information security certifications such as SOC2 or ISO27001, and assessing the sufficiency of the vendors' security practices. If such information is lacking, vendors are sent an assessment questionnaire. Furthermore, contingency plans are in place to mitigate potential issues like vendor downtime or sudden cessation of operations, including the option of collaborating with alternative vendors.

 
Did this answer your question?
😞
😐
🤩

Last updated on Invalid Date