Trust Center Security
At Aquarius Soft, we implement robust security measures to protect our networks, data exchanges, software development, and communications. By following industry best practices, we ensure top-level security for our clients and stakeholders.
Network Security
Our networks are vital for business operations, connecting internal systems with external entities. To safeguard against data loss and disruptions, we implement strong security practices in design, operation, and management. The design includes leveraging the AWS Firewall in our infrastructure and securing our backups using 256-bit AES encryption. These practices apply to all users, including employees, suppliers, and third parties, and also govern the networks used in cloud services for customers.
Secure Information Exchange and Communications
Information exchanges and communication practices are enforced to maintain information security for all parties, adhering to security measures to ensure confidentiality, integrity, and availability of the information. Communications through our network are secured using TLS 2.0 or higher, which provides strong encryption to ensure data confidentiality and integrity during transmission. All direct connections to our internal infrastructures are done via secure VPN. Focusing on these practices helps mitigate potential threats further. This applies to all users, regardless of access method or location.
Information Security Governance
Controls on classified information access and sharing among internal and/or external parties are enforced with strict protocols, including NDAs, to ensure all parties understand their responsibility to protect this data. Our standards are based on early adoption of ISO 27001 practices, which provide a framework for managing information security and help ensure confidentiality, integrity, and availability of data.
Secure Design and Development
At Aquarius Soft, security is embedded in every stage of our software development lifecycle. We adopt a DevSecOps approach, integrating security practices seamlessly with our agile methodologies to minimize vulnerabilities before deployment. Our processes include:
-
Code Reviews: Regular peer reviews to identify and address potential security flaws.
-
Third-Party Security Screening: Utilizing tools like Mozilla Observatory, known for its thorough analysis of HTTP, TLS, and SSH security, to perform security scans during development.
-
Vulnerability Testing: Conducting regular assessments to evaluate the resilience of our applications against attacks.
-
Continuous Monitoring: Implementing real-time monitoring to detect and respond to security threats promptly.
Before any live deployment, we ensure that all security and operational measures meet our stringent project criteria, guaranteeing a secure and reliable product for our clients.
Software Policy
At Aquarius Soft, we have a strict policy that regulates the acquisition, installation, and use of software within the organization to ensure that only screened and approved software is used. This minimizes exposure to potentially malicious or untrusted software. Other than validating that the software is from a trusted source, we perform pre-screening, where new software is installed on one server, scanned for viruses and memory leaks before deploying to all other servers. Servers are updated to the latest security patches twice a year.
Business Continuity
A key principle of our company is to ensure trust for our users. Business continuity is key to establishing and maintaining this trust. We maintain and carry out detailed plans for business continuity in case of major disruptions affecting IT systems, staff, or operations, outlining recovery actions and procedures to resume business efficiently. This plan emphasizes practical decision-making during incidents, periodic updates of contact information, and adherence to data protection laws.
Availability Management
Availability of the platforms works hand in hand with business continuity. By ensuring the continuous availability of critical IT systems through setting availability targets, assessing risks, and measuring performance, we meet our goal to minimize system downtime through redundancy and proactive management to reduce business impact.
The following targets are used to ensure system redundancy and minimize downtime:
-
Server backups are done daily with regular checks to ensure the backups are valid and readily available.
-
Rebuilding of servers from backups can be done within a day.
-
Our hardware infrastructure maintains an uptime of 99.9%, excluding scheduled maintenance periods. This is achieved through active monitoring and AWS commitment.
Change Management
We maintain a structured process for managing changes to IT services, ensuring all changes are recorded, evaluated, and implemented in a controlled manner to minimize risk and impact.
Technical Vulnerability Management
We adopt a proactive defense measure, performing regular scans for vulnerabilities that malware could exploit, preventing common security threats, including phishing and hacking. This guarantees thorough vulnerability assessments of our platform and services. Vulnerability assessments based on Open Web Application Security Project (OWASP) threat indicators are performed annually.
Intrusion Detection System (IDS) and Security Information and Event Management (SIEM)
Aquarius Soft believes in both pre-deployment and active deployment screenings. We run a system-wide IDS and SIEM monitor for all internal and external servers in our infrastructure to detect unauthorized access, security anomalies, and potential security threats. These systems support our incident response process.
Backup Policy
Regular backups of data and system images are performed daily to minimize data loss due to unforeseen incidents. This ensures data integrity and availability, quick recovery, and reduced risk and legal exposure. Daily backups of the main database and user data are stored on our servers (excluding user-generated content stored in redundant AWS S3 cloud storage). All backups are also stored in S3 for 180 days.
Last Updated: 16 October 2024