Security Policy

Last updated: 27 September 2022

Introduction

Swifteq is, at the heart of it, a data company. Protecting the data our customers have entrusted us with is our primary concern from day one. We believe it is important for our customers to be aware of the organisational and technical security measures that we take to protect their data. If you have specific security concerns, please reach out to support@swifteq.com.

 

This document is intended to complement our Service Agreement, Data Processing Agreement,  and Privacy Policy.

 

Data Centre Security

The data centers utilized by us maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure:

•       All Swifteq servers and data are stored securely in Amazon Web Services (AWS) facilities in Europe, Ireland. This service provider meets international security standards such as ISO 27001 and SOC 1, 2 and 3.

•       All data is always stored exclusively within the EU.

•       We have multiple levels of backup processes to minimise data loss in case of an attack or system failure.

•       All backups are encrypted and stored in secure cloud locations within the EU.

•       All traffic to and from our data servers is conducted over HTTPS and is thus encrypted.

•       Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.

•       N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.

Application Level Security

•       Swifteq account passwords are hashed. Our own staff cannot even view them. If you lose your password, it cannot be retrieved - it must be reset.

•       All login pages (from our website and mobile website) pass data via TLS.

•       All Swifteq applications are encrypted with TLS.

•       We utilise Auth0 for login and session management functionality and thus benefit from their extensive security measures.

•       Depending on the app or service used, where possible, we minimise the amount of personal data we collect about from our customers’ users.

•       Where possible, we rely on well-established open source software to avoid any potential for malware.

Internal IT Security

 

The Swifteq office is secured by keycard access.

 

We mandate usage of secure passwords across all third party software in use by the Swifteq team. Additionally, where offered, we employ 2-factor authentication.

 

We perform security audits on any third-party software in use by the Swifteq team.

We mandate full disk encryption and latest versions of anti-virus and firewall software across every computer used by the Swifteq team to access client’s data.

We protect every computer in use within Swifteq with a secure password and additional security measures where possible.

Every employee undergoes regular information security trainings to understand the importance of protecting customer data.

Other important measures

We undertake an analysis of the risks presented by our processing of personal data, and use this to assess the appropriate level of security we need to put in place.

 

When deciding on the security measures to be taken, we take account of the state of the art and costs of implementation of those measures.

 

We maintain written information security policies and procedures pertaining to data protection and incident management. We follow the latest developments in the field of data protection and update our policies and procedures accordingly. 

We have an incident management process for security events that may affect the confidentiality, integrity, or availability of our systems or data that includes a response time under which Swifteq will contact its customers upon verification of a security incident that affects the Service Data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. The incident response program includes 24×7 centralized monitoring systems and on-call staffing to respond to service incidents.

 

We maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality and integrity of the Service Data. These safeguards include encryption of the Service Data in transmission (using TLS or similar technologies) over the internet, except for any third-party services that do not support encryption, which you may link to through the Services at your election.

 

We regularly test and review our measures to ensure they remain effective.

 

We ensure that any data processor that we use also implements appropriate technical and organisational measures to protect the Service Data. Such measures include, without limitation: 
-    Physical Access Controls. Third-party service providers take reasonable measures, such as security personnel and secured buildings and factory premises, to prevent unauthorized persons from gaining physical access to data processing systems in which Service Data is Processed.
-    System Access Controls. Third-party service providers take reasonable measures to prevent data processing systems from being used without authorization. These controls vary based on the nature of Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
-    Data Access Controls. Third-party service providers take reasonable measures to provide that the Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access the Service Data only have access to the Service Data to which they have privilege of access; and, that the Service Data cannot be read, copied, modified or removed without authorization in the course of Processing.
-    Transmission Controls. Third-party service providers take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of the Service Data by means of data transmission facilities is envisaged so the Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
-    Input Controls. Third-party service providers take reasonable measures designed to ensure that it is possible to check and establish whether and by whom the Service Data has been entered into data processing systems, modified or removed; and, any transfer of the Service Data to a third-party service provider is made via a secure transmission.
-    Data Protection. Third-party service providers take reasonable measures designed to ensure that the Service Data is secured to protect against accidental destruction or loss.
-    Logical Separation. Third-party service providers logically segregate the Service Data from the data of other parties on its systems to ensure that the Service Data may be Processed separately.

 

We have and maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. This program is and will be reviewed on a regular basis to provide for continued effectiveness and accuracy. We have, and will maintain, a full-time information security team responsible for monitoring and reviewing security infrastructure for Our networks, systems and services, responding to security incidents, and developing and delivering training to Our employees in compliance with Our security policies.

 

We restrict administrative access to Customer production systems to operational personnel. We require such personnel to have unique IDs and associated cryptographic keys. These keys are used to authenticate and identify each person’s activities on Our systems, including access to Service Data. Upon hire, our operational personnel are assigned unique keys. Upon termination, these keys are revoked. Access rights and levels are based on our employees’ job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities.

 

Our security team utilizes industry standard utilities to provide defense against known common unauthorized network activity, monitors security advisory lists for vulnerabilities, and undertakes regular external vulnerability audits.