Exponea Data Security Commitment
Our commitment to Security and Privacy
We always strive to be transparent about how we protect our clients‘ data and reputation. As a result, we have always taken the topics of security and privacy at Exponea seriously, placing them as a high priority in our day to day business functioning.
This whitepaper outlines Exponea’s perspective on security and compliance, highlighting the measures we take to stay secure and compliant. It focuses on security controls and elaborates on processes and details of how Exponea protects our clients’ data.
To get a deeper understanding of Security at Exponea you can find our Security handbook here: https://exponea.com/e-books/exponea-security/
Security as our priority
We aim to create a strong security culture amongst all employees of Exponea. We strongly believe that every employee is an essential part of our defense against potential security breaches.
This culture has a strong impact on all employees and is present during the hiring process, employee onboarding and as a part of the employees ongoing training. Before an employee joins Exponea, we perform a check on their background. All our employees must be familiar with our security policies and go through security training as part of the onboarding process and receive regular security training throughout their stay here at Exponea. During the onboarding process, new employees agree to our NDA and go through OWASP training. This shows our commitment to keep the data of our customers secure.
All employees working at Exponea must follow our password security and lockout policy, use two factor authentication, have a secure Wi-Fi connection and be connected to our VPN when working remotely. Additionally, all of Exponea’s employees are using Okta which is a Single Sign-On service that enables them to securely access their accounts and applications.
Security development practices
Exponea’s developers in the IT segment receive instructions on topics including clean coding and development practices and the principle of least privilege when granting access rights.. The IT department also attends technical presentations on security-related topics, receives regular updates on the newest issues from the Cybersecurity space in our security channel and is tested to ensure ongoing compliance.
The certificates we currently hold include:
Security operations team & our DPO
Exponea’s dedicated team of security engineers, led by a Cybersecurity Manager, are an essential part of our IT infrastructure. This team is responsible for maintaining Exponea’s protection and defense systems, building security frameworks, reviewing operational security processes, and creating new security policies. The security team is also responsible for monitoring any suspicious activity, addressing cybersecurity threats and performing regular health checks and audits.
Our independent Data Protection Officer (DPO) makes sure that we stay compliant. Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, GDPR awareness-raising, training, and audits.
We take care that all of our endpoint devices are protected according to our Endpoint Security Policy. This includes that all of our endpoint devices have disc encryption, malware protection, guest access disabled, firewall, and have regularly updated OS. In addition, we perform continuous checks to make sure that we maintain this high level of security.
Our security monitoring is performed on information collected from internal network traffic and the knowledge of our vulnerabilities. Internal traffic is checked for any suspicious behavior. Network analysis and examination of system logs in order to identify unusual behavior are a vital part of monitoring. We place search alerts on public data repositories to look for security incidents and analyse system logs.
Exponea has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked, given a priority according to how urgent it is, and assigned to relevant people as a ticket. Our security team tracks such issues and follows up regularly until they can check that the issues have been resolved.
GCP runs in a multi-tenant, geographically distributed environment to support the availability of services. It is guaranteed by GCP that data is distributed amongst a high availability infrastructure, designed to store extremely large amounts of data across many servers. We also have built a highly-available, resilient and redundant architecture to ensure that our data is replicated in real-time, to multiple data centers within a region or across multiple regions. This provides high availability for our clients by dynamic load balancing across those sites.
Exponea has a well defined incident management process for security events that may affect the confidentiality, integrity or availability of our client’s resources or data. If an incident occurs, the security team identifies it, reports it, assigns it to the correct resolver and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.
It is vital for us to properly test all new features before implementing them to ensure no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug free prior to release. They also test new private instances for our fresh clients just before they get into the hands of our Client Services team.
Protecting our clients’ data
Whenever we store data in the Google Cloud Platform (GCP), there are several layers of encryption. By default, data is encrypted both at rest and in transit. To encrypt data at rest, the Advanced Encryption Standard (AES) is used. Transport Layer Security (TLS) is used to encrypt data in transit for transport security. Without any further implementations, GCP encrypts and authenticates all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of Google. Our encryption utilizes encryption keys managed by Google.
The Exponea application operates in the Google Cloud Platform (GCP), to allow for the use of our platform and tools wherever you are. We offer data centers in the US and UK for our American and British clients, if required. By default, our data is processed within the EU, with three primary data centers in Belgium.
The Exponea application supports our customers in finding the best ways to be compliant with the GDPR. Built with Privacy by Design, the application includes customer rights, access minimisation, data minimisation and legal base management features. Clients have complete control of data inputs. Furthermore, clients can utilise Consent Management to set a purpose for processing, data subject rights management to download, rectify, delete or anonymise all customer data and data expiration periods for events and customer attributes. Access management also enables users to select specific data types as PII and then set/revoke permission to see PII per user. In addition, data API enables the clients to integrate their systems to enable fast execution of data subjects requests.
At Exponea we offer Shared, Private and Exclusive instances. All of our clients have a secure set-up as a baseline. This includes 2FA (SMS, App Authenticator) and a Captcha challenge response test when signing in. We use Google Load Balancer with firewall rules to protect load balanced resources during distribution and TLS to encrypt communication within the Exponea application. We ensure that static IPs used for webhooks and imports are encrypted in log files.
For more sensitive categories of data we offer features including:
IP restriction (Cloud Armor)
Static IP (Dedicated Proxy)
Virtual Private Network (VPN)
Vulnerability scan report
Audit log report access
More information on the specific features can be found here and below:
In the face of potential security vulnerabilities, Exponea helps by improving the application’s security measures and updating with the newest cybersecurity improvements. To stay in line with constantly evolving data protection regulatory frameworks, we look to the future to stay one step ahead.
Interested to hear more? You can read more about our Security here: https://exponea.com/e-books/exponea-security/