We have always taken the topics of security and privacy at Exponea very seriously. It is our highest priority to protect the data we work with, including our clients’ data. We strive to always use the highest measures so that we stay secure and compliant. Security shapes our structure, educational objectives, and the recruiting process.
This whitepaper outlines Exponea’s perspective on security and compliance. It focuses on security controls and elaborates on processes and details of how Exponea protects our clients’ data.
We are trying to create a strong security culture amongst all employees of Exponea. We strongly believe that every employee is an essential part of our defense against potential security breaches.
This culture has a strong impact on all employees and is present at all stages and everywhere, including the hiring process, employee on-boarding, but also as a part of the ongoing trainings that Exponea provides and company events to raise awareness. Before an employee joins Exponea, we perform a check of his/her background. All our employees must be familiar with our security policies and go through security training as part of the on-boarding process and receive regular security training throughout their stay here at Exponea. During the on-boarding process, new employees agree to our NDA and go through OWASP training. This shows our commitment to keep the data of our customers secure.
All employees working at Exponea must follow our password security and lockout policy, must have 2FA authentication, must have a secure Wi-Fi connection, or alternatively, be connected to our VPN when working remotely. Additionally, all of Exponea’s employees are using Okta which is a Single Sign-On service that enables them to securely access their accounts and applications.
The developers in the IT segment receive instructions on topics like best coding and development practices, the principle of least privilege when granting access rights, etc. The IT department also attends technical presentations on security-related topics, receives regular updates on the newest issues from the Cybersecurity space in our security channel.
Exponea has valid certifications to show how seriously we take the topics of security and compliance. We currently have the following certifications:
Exponea has a dedicated team that consists of security engineers and a cybersecurity manager who are an essential part of our IT. This team is responsible for maintaining Exponea’s protection and defense systems, reviewing security operational processes, building security frameworks and creating new security policies. They also monitor any suspicious activity, address cybersecurity threats and perform regular health checks and audits. Our independent Data Protection Officer (DPO) makes sure that we stay compliant. The DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, GDPR awareness-raising, training, and audits.
We take care that all of our endpoint devices are protected according to our Endpoint Security Policy. This includes that all of our endpoint devices have disc encryption, malware protection, guest access disabled, firewall, and have regularly updated OS. In addition, we perform regular checks to make sure that we maintain this high level of security.
Our security monitoring is performed on information collected from internal network traffic and the knowledge of our vulnerabilities. Internal traffic is checked for any suspicious behavior. Network analysis and examination of system logs in order to identify unusual behavior are a vital part of monitoring. We place search alerts on public data repositories to look for security incidents and analyse system logs.
Exponea has a vulnerability management policy that includes processes such as regular web scans and scans for potential threats. Once a vulnerability requiring our attention has been identified, it is tracked, given a priority according to how urgent it is, and assigned to relevant people as a ticket. Our security team tracks such issues and follows up regularly until they can check that the issues have been resolved.
Exponea has well-defined incident management processes for security events that may affect the confidentiality, integrity, or availability of our client’s resources or data. If an incident occurs, the security team identifies it, reports it, assigns it to the correct resolver and gives it a resolution priority based on its urgency. Events that directly impact our customers are always assigned the highest priority and shortest resolution time. This process involves plans of action, procedures for identification, escalation, mitigation, and reporting.
It is vital for us to properly test all new features before implementing them so that we make sure that no unexpected vulnerabilities are introduced to the application. The QA team guarantees that all new additions to our application are bug-free prior to release. They also test private instances for our fresh clients just before they get into the hands of our Client services team.
Whenever we store data in the Google Cloud Platform (GCP), there are several layers of encryption. By default, data is encrypted both at rest and in transit. Additional security controls are implemented depending on the requirements of our customers. Without any further implementations, GCP encrypts and authenticates all data in transit at one or more network layers when data moves outside physical boundaries not controlled by or on behalf of Google. Google uses the Advanced Encryption Standard (AES) algorithm to encrypt data at rest. Transport Layer Security (TLS) is used to encrypt data in transit for transport security.
Exponea application supports our customers in finding the best ways how to be compliant with the GDPR. The application works in such a way that the clients have a complete control of consent management (they set a purpose for processing), data subject rights management (they can download all customer data, anonymize a customer or delete a customer). Exponea has access management that enables the users to select specific data types as PII and then set/revoke permission to see PII per user. For every event it is possible to manage its retention and set expiration separately. In addition, data API enables the clients to integrate their systems to enable fast execution of data subjects requests.
Exponea Core Security
At Exponea, we make sure that all our clients have a secure set-up. This includes 2-FA Authentication (SMS, App Authenticator, Yubikey) and Captcha challenge–response test when signing in. We use Google Load Balancer with firewall rules to protect load-balanced resources during distribution and TLS to encrypt communication within the Exponea application. We ensure that static IPs used for webhooks and imports are encrypted in log files.
Exponea Enterprise Security
We go even further when working with extremely sensitive data such as data from the banking or telecommunications sector that we implement some extra measures in order to increase the level of security of their data and resources. Therefore, we provide a set of features for enterprises requiring an enhanced level of security and access management. This includes SSO (Single sign-on) integration system when signing in, WAF to filter http traffic from specific websites, audit log that is automatically tracked on each instance for each project, IP deny/allow list by Cloud Armor, site-to-site VPN to eliminate any unauthorised access to private instances, vulnerability scan reports by Tenable Nessus, and web scan reports.
The protection of our clients’ data and resources is our priority and therefore, we will continue to improve our security measures and keep up to date with the newest cybersecurity advancements. Finally, we will keep up with the newest regulatory laws so that we stay compliant.