Skip to main content

Annex 2: Security Measures

Notes

This is a part of our Data Processing Agreement (DPA).

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

This Annex forms part of the DPA.Holistics currently observes the security practices described in this Annex 2.

Notwithstanding any provision to the contrary otherwise agreed to by Customer, Holistics may modify or update these practices at its discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices.

All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Holistics Terms of Service (Terms) stated at https://www.holistics.io/terms/.

a) Access Control

i) Preventing Unauthorized Product Access

Outsourced processing : Holistics hosts its Service with Digital Ocean, a data center provider based in Germany, United States, and Singapore. Additionally, Holistics maintains contractual relationships with vendors in order to provide the Service. Holistics relies on contractual agreements, privacy policies, and vendor compliance programs in order to assure the protection of data processed or stored by these vendors.

Physical and environmental security : Our servers for the Subscription Service are hosted with Digital Ocean and Amazon Web Services. Our data centres are based in the United States, Germany, and Singapore.

Authentication : Customers who interact with Holistics software must authenticate before accessing non-public customer data.

Authorization : Customer data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure.

The authorization model in each of Holistics' products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Holistics allows the customer to expose public product APIs using an API key.

ii) Preventing Unauthorized Product Use

Holistics implements industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls : Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure.

Static code analysis: Security reviews of code stored in Holistics' source code repositories is performed, checking for coding best practices and identifiable software flaws.

Responsible Disclosure : A Responsible Disclosure program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. This widens the available opportunities to engage with the security community and improve the product defenses against sophisticated attacks.

iii) Limitations of Privilege & Authorization Requirements

Internal Data Access by personnel :

Only authorized personnel are allowed access to the infrastructure provided are restricted to authorized personnel on the principle of least privilege.

SSH users use unique accounts to access production machines. Furthermore, the use of the root account is not used.

Access to sensitive systems and applications requires two factor authentication in the form of user ID, password, OTP and/or certificate

Holistics has established formal guidelines for passwords to govern the management and use of authentication mechanisms.All access is logged, and removed when appropriate.

Access to the corporate network, production machines, network devices, and support tools requires a unique ID.

b) Transmission Control

In-transit :

Holistics ensures that all connections to its web application from its users are encrypted.

Holistics uses configurations that ensure only approved networking ports and protocols are implemented, including firewalls.

Management has implemented tools to log network traffic into a system that allows monitoring and ad hoc queries.

At-rest :

Holistics encrypts Customer's database connection credentials and cached data stored at rest.

Access to sensitive systems and applications requires two factor authentication in the form of user ID, password, OTP and/or certificate

Only authorized users with the correct SSH key may gain access to production machines

c) Input Control

Detection : Holistics designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Holistics personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking : Holistics maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Holistics will take appropriate steps to minimize product and Customer damage or unauthorized disclosure.

Communication : If Holistics becomes aware of unlawful access to Customer data stored within its products, Holistics will:

  1. Notify the affected Customers of the incident;
  2. Provide a description of the steps Holistics is taking to resolve the incident; and
  3. Provide status updates to the Customer contact, as Holistics deems necessary.

Notification(s) of incidents, if any, will be delivered to one or more of the Customer's contacts in a form Holistics selects, which may include via email or telephone.

d) Data Storage

Unlike most business intelligence software, Holistics Software does not store any physical records of Customer Data permanently. Instead Holistics generates SQL that directly queries the database and visualizes the records in the browser.

Terminating Customers : Holistics Metadata in active (i.e primary) databases is purged 180 days after a customer terminates all agreements for such products with Holistics, or upon a customer's written request. Information stored in backups, replicas, and snapshots is not automatically purged, but instead ages out of the system as part of the data lifecycle. Holistics reserves the right to alter data purging periods in order to address technical, compliance, or statutory requirements.

e) Availability Control

Infrastructure availability : The data center providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance : Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure.

Holistics' products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Holistics operations in maintaining and updating the product applications and backend while limiting downtime.

f) Event Logging

Holistics has implemented tools to

  • collect and store server logs in a central location. The system can be queried in an ad hoc fashion by authorized users
  • log application state into a system that allows monitoring and ad hoc queries.
  • monitor Holistics Software SQL databases and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
  • monitor Holistics Software load balancers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy
  • monitor Holistics Software messaging queues and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
  • log network traffic into a system that allows monitoring and ad hoc queries.
  • Monitor Holistics Software servers and notify appropriate personnel of any events or incidents based on predetermined criteria. Incidents are escalated per policy.
  • Retain log entries for at least 12 months
Signature:Signature:
Name: [redacted]Customer Name:
Designation: [redacted]Designation:
Holistics Software Pte LtdCompany:
Date:Date:

Let us know what you think about this document :)