Pages

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from this space and version 1.3

...

The premises are equipped with an alarm system. The system detects door movement and motion on in corridors. If an alarm goes off, the system alerts the security company, and security personnel will come and check the situation within a few minutes.

When a visitor arrives at the premises, a host lets the visitor in and accompanies the visitor throughout the visit. Visitor meetings are organized in a specific meeting room. Visitors are not allowed in areas reserved for software development or system operations.

...

On operating system level, servers and firewall settings are managed by Frosmo. Security updates are deployed constantly to keep all servers up to date with the latest security updates for data and access rights. The updates are deployed under the supervision of the Frosmo Chief Technology Officer (CTO).

The agreement with the hosting partners does not include access to operations related to Frosmo customer data. The Frosmo personnel is solely responsible of managing all data collected by the Frosmo platform.

...

Customer data is always stored is such a way that the data of one customer cannot be mixed with the data of another customer.

The Frosmo System Administrator is responsible for all system updates. All modifications to Frosmo products in the production environment are controlled by the CTO. All software modifications can be tracked in change logs and the version control system.

Team members working for a specific a customer can be disclosed to the customer on request. A team rarely works with multiple customers in the same market sector. Customers can request a background check on Frosmo employees. In addition, comprehensive audits can be carried out either by the customer or by a third party on request.

The Frosmo production servers can only be accessed by using public key authentication (administrative access) by using public key authentication. Public keys are provisioned to trusted Frosmo employees when needed for the required access levels. All granted keys are recorded by the System Administrator and deployed to servers using an automatic deployment process that adds, removes, and updates keys on the production servers. All generated keys must follow the documented security guidelines and are always personal and protected by a passphrase known only to the key owner.

...

Critical system passwords are renewed on a regular basis.

Disaster recovery and business continuity

In case of a natural or human-made disaster, or a critical software or hardware failure, Frosmo ensures recovery and continuation of service through, for example:

  • Cloud computing. Frosmo uses Amazon Web Services (AWS), Atlassian Confluence, and G Suite, each a trusted cloud computing platform, for storing and/or serving data.
  • Data replication. To ensure the availability of data, Frosmo replicates operational data to backup servers in multiple physical locations.

The Frosmo headquarters is located in one of the most politically, socioeconomically, and infrastructurally stable countries in the world, Finland. The region is also one of the safest from natural disasters. Disruptions of service due to natural or human-made disasters are thus highly unlikely.

Personnel security

The Frosmo work contract contains non-compete, confidentiality, and non-disclosure clauses. Additional non-disclosure agreements can be created for specific customers on request.

All new Frosmo employees are informed about physical and data security. This introduction is repeated at supervisors' discretion. The requirements and conditions for each customer are always discussed within the team when a new customer project starts.

The Frosmo employees are encouraged to observe and report to their supervisors all issues (on any level of operations) that are likely to compromise customer data security.

...

In addition, the Frosmo Control Panel triggers a warning if an account is accessed from multiple computers, and allows the user to close redundant connections. Too many failed login attempts trigger a failure mode, which forces additional authentication checks for subsequent login attempts and notifies the Frosmo System Administrator.

The Frosmo platform can force all content that is provided through the Frosmo JavaScript library to the customer website site to load resources only from specified domains. When this feature is enabled, the Frosmo platform validates all modification content before it is saved to the Frosmo back end. If the content contains elements that could be used to load or inject resources from non-authorized domains, the content is rejected.