Security and reliability
At SwiftComply, we take security very seriously. This includes our hiring processes, how we design and develop the software that powers SwiftComply, and the data center strategies and operations that enable us to deliver industry-leading services. Our combination of security features and regular application audits is the reason why over 450 utilities, including nine of the twenty biggest cities in the USA, trust us to protect their data.
SwiftComply follows the principles according to the standard ISO 31000 "Risk management – Principles and guidelines on implementation".
In broad terms, the process consists of:
- Identification of assets.
- Conduct a threat assessment.
- Conduct a vulnerability assessment.
- Calculate the impact that each threat would have on each asset.
- Identify, select and implement appropriate controls.
- Evaluate the effectiveness of the control measures.
Our head of engineering is in charge of defining and implementing our information security policy and reviewed periodically at least once per year with our CEO.
SwiftComply information security policy includes:
- Instructions on how to store, transmit or share information securely.
- The policies concerning the use of devices, machines, and equipment.
- The policies for making use of the company’s network and wireless network.
- The policies for limiting the usage of sensitive software.
- The policies for monitoring the security.
- The information regarding the authority to block any devices to contain security breaches.
- Information on the implementation of policies which are more cost-effective.
We also rely on Google Cloud Platform (GCP) and adopts security policies defined by GCP: https://cloud.google.com/security/overview
In regards to IT: only those that need access have the ability to connect to the production network. Further, only those that need super user (root or similar) access have the ability to perform those functions.
Logging and analysis is handled via GCP. Other systems or application monitoring is done via various third party monitoring services
IDS is handled via GCP’s internal systems
For non critical data we rely on GCPs cloud storage.
For critical data, along with cloud storage we perform daily database backup and recoveries to ensure the backup viability, and store at least 7 days of backups. Our data is backed by PostgreSQL, an open source object-relational database with more than 30 years in the market.
Changes (bugs and features) are run through product management, then the head of engineering, then assigned to someone to investigate and fix. All commits are run through automated tests before being deployed to production.
Only those that require access to maintain the stability of the system are given access to the production network.
SwiftComply policy establishes the Enterprise Access Control Policy, for managing risks from user account management, access enforcement and monitoring, separation of duties, and remote access through the establishment of an Access Control program. The access control program helps SwiftComply implement security best practices with regard to logical security, account management, and remote access. SwiftComply has chosen to adopt the Access Control principles established in NIST SP 800-53 “Access Control,” Control Family guidelines, as the official policy for this domain.
Modified Agile would be the best description, with continuous delivery
Applications are scanned regularly with OWASP’s ZAP to detect potential weaknesses. These are recorded and investigated to verify if we are in fact susceptible or if it is a false positive.
We review new software updates and system libraries once a month to determine what is needed to be updated and when. We prefer to err on the side of caution with most patches, where unless they fix an exploitable vulnerability, we give the patch time to be applied by others to assess its potential issues.
At least monthly or ad hoc when new severe vulnerabilities are discovered.
SwiftComply has established processes that:
- detect and identify events
- triage and analyze events to determine whether an incident is underway
- respond and recover from an incident
- improve our capabilities for responding to a future incident
SwiftComply’s business continuity plan outlines the potential impact of disaster situations, creates policies to respond to them and helps businesses recover quickly so they can function as usual. The main goal of the BCP is to protect personnel and assets, both during and after an emergency.
The leadership team including the CEO, head of engineering and head of customer reviews the BCP annually, determines any weaknesses and takes the appropriate action.
SwiftComply regulatory compliance is described in our employee handbook which is received, reviewed and acknowledged by each employee. Our controller and counsel worked diligently with our CEO to ensure compliance with Federal, State, and local laws.
Vendor Cloud Questionnaire
Data ownership – Does the contract clearly document City is sole owner of the Data & meta Data used for the Cloud service offered?
Yes – all data belongs to the City.
Where is the data hosted? Are backups of the customer data performed? Please provide frequency of backups, location of backups and any other relevant details.
All data is hosted and processed on Google Cloud Platform (GCP). Our data is backed by PostgreSQL, an open source object-relational database with more than 30 years in the market. Database is backed up daily and our current retention policy is to keep back-ups for a week. All backup files are again managed by GCP.
All uploaded files are versioned by GCP.
Confirm Data will not be used for Data mining etc.
Will the vendor guarantee they will not move City data to another hosting jurisdiction without prior notification?
Confirmed – will need to be added to contract
All uploaded files are versioned by GCP.
Does the vendor use a 3rd party to host data? Who?
All data is hosted by GCP.
Will you delete customer data upon request? Are there any additional costs to delete customer data?
Our application is self-serve, allowing application admin to delete or archive customer data. Additionally, our support team can assist with specific issues.
When a customer contract terminates, how long is customer data retained? Can customers retrieve their data regardless of the cause of termination or expiration of agreement?
Upon termination we will provide a data file with all customer data on the termination date. Customer data will be provided regardless of the reason for termination
What options are available for customers to extract their data and in what format?
Data is available via a REST API that customers can access to retrieve data as needed.
Can customers access their backups or request a restore from backup? Are there any extra costs for this?
We can’t provide or restore a particular backup for a client as backups are general for a multi-tenant system. We can provide a stand-alone system for an additional cost.
For Single Sign On, does the application support the following protocols: a. SAML 2.0 b. WS-Trust/WS-Federations c. OAuth
Single Sign On – SAML 2.0
Do you support two factor or multi-factor authentication? If so, provide details.
How is access granted to administrators and users of the cloud service? What type of strong authentication is used? Is there an administrative interface provided to manage the service? Are only authorized users able to change content?
All access to user data is managed by session authorization, users are required to set up a password (10 character minimum) and use it along with their email to access the application. The system is responsible for authorizing the user to access the data. Sessions expire after 30 days and users are required to re-enter their login details.
First user created is granted admin rights of the account and this user can add or remove new users as well as to grant them admin permissions as well
Only admin users can change the general settings of the account or invite new users.
What auditing capabilities exist? (e.g. Access audit, failed access attempts, audit trails of all activity, etc.). Are audits available to administrators or must they be requested from the vendor.
Application tracks changes done to most records, currently there’s no public access to these changes and should be requested
Users with more than 5 failed attempts to login will be blocked and requested to unlock their account via E-mail.
Do you meet the WCAG 2.0 guidelines?
All data is hosted by GCP.