Admin login

SitePodium

Sustainable Community Engagement

Introduction Concepteurs
Vision

1. System Overview
1.1. Cloud deployment model
1.2. Cloud service model
1.3. Store customer data physically
1.4. Jurisdiction
1.5. Accessibility cloud solution

2. Security Administration
2.1. Security Policies
2.2 Security Awareness
2.3 Auditing and Monitoring
2.4. Security Incidents Detection and Handling
2.5 Identity and Access Management employees
2.6 Identity and Access Management customers
2.7.Encryption
2.8 Identity and Access Management offered to the cloud customer
2.9 Asset Management

3 Logical Security
3.1 System Security procedures
3.2 Application Security procedures
3.3 Network Security procedures

4. Operational Security
4.1. Antivirus Mechanisms
4.2. Backup and Recovery
4.3 Software Assurance

5 Data and Service Portability
5.1 Data Ownership
5.2 Data and Service Portability

6 Third-Party Organization Security (Subcontractors)

7. Physical Security
7.1 Environmental Controls
7.2 Data Centre Controls

8. Business Continuity Management

9. Privacy

10. Termination of services / End of contract

 

Introduction Concepteurs

Let’s first introduce ourselves: We are Concepteurs. Concepteurs BV is the owner of SitePodium and all derived Whitelabel Applications. Concepteurs is a Product development and sales organization.

Vision

Privacy is our top priority. Long before the EU made plans for stricter legislation (GDPR) regarding personal data, we set Privacy as a spearhead. From version 1.0 in 2013, SitePodium is a social medium that is accessible to everyone. We have been further developing this platform for a total of 7 years now without losing sight of our main pillars:

  • no log-in
  • not obliged to leave a name
  • only necessary information needed for downloading the app

We only use the information we collect (including GPS) for the optimal functioning of the App. We do not use information for commercial purposes. Our revenue model is clear: Clients or contractors in Construction & Infrastructure purchase a subscription from us. Only Concepteurs and its clients have access to data; it is not accessible to any third parties.

Security is also very well organized with us. We employ developers who can quickly resolve potential issues (e.g. data breach). Fortunately, we have never experienced this. Below we describe our working method for privacy and security to convince you that we are doing everything we can to avoid any potential issues in the future.

1. System Overview

 

1.1. Cloud deployment model

All applications that Concepteurs deploys and maintains hosted on the Microsoft Azure Cloud platform. Using scalable infrastructure platforms like Kubernetes, and managed databases from Microsoft Azure, a stable and flexible platform is guaranteed. Each project has its own namespace within the cluster, containing information about the deployments of that project. Information is not interchangeable between namespaces.

1.2. Cloud service model

At the time of writing, most Concepteurs customers make use of the Microsoft Azure infrastructure model. All customers are separated by the namespaces described in the previous section. This applies webserver deployments, as well as to database deployments. Most projects have several application environments: test, staging and production; each for different purposes.

1.3. Store customer data physically

As Concepteurs makes use of the Microsoft Azure cloud platform, all data is stored in their data centres. Specifically, the data is stored in the Western-Europe data centre, located in the Netherlands. The exact physical location is not disclosed by Microsoft.

1.4. Jurisdiction

Concepteurs and Concepteurs are fully located in The Netherlands and are bound to the jurisdiction of The Netherlands.

1.5. Accessibility cloud solution

All the applications that Concepteurs builds and maintains are accessible from every country.

2. Security Administration

 

2.1. Security Policies

Concepteurs has information integrity policies and procedures to ensure security.

2.2 Security Awareness

Every employee of Concepteurs needs to complete several information integrities courses via a web platform, which ends with a test that has to be passed.

2.3 Auditing and Monitoring

For monitoring, Concepteurs mostly relies on the Microsoft Azure platforms, which monitor the physical state of servers and hardware. This information is available via the Microsoft Azure platform status page. Next to that, all applications are monitored for availability every minute. If an application appears to be offline, the people responsible are automatically notified. Also, there is error monitoring. All errors of Concepteurs applications are automatically collected, which allows for quick and reliable detection of errors.

Concepteurs server system logs include (but may not be limited to) the following:

  • Application specific exceptions and context
  • Webserver failure information
  • URLs that were accessed
  • Application state information

Customers cannot track system events and associated information (i.e. user ID, date, time, information accessed, associated terminal/port/network).

Regular and administrative customer user login failures are logged. After 5 failed login attempts, the user is blocked for 30 minutes.

Concepteurs has protection against unauthorized access. So not every employee has the access level to view system logs. Only a small subset of the employees of Concepteurs have access to the deployment services and can, from there, access the logs. Administrative access to underlying network and storage technologies is restricted to as small a group of personnel as possible, so access to customer data is limited for most system administrators to the customers they are working with. Concepteurs also maintains a centralised repository for user details and account information, which means username information is restricted on a highly granular basis and all access and authorisation to access that information is controlled and logged. Concepteurs uses a detection system for malicious network traffic. Malicious traffic will be blocked.

2.4. Security Incidents Detection and Handling

Concepteurs uses an automated Intrusion Detection System which covers the full network in the main office in Almelo, the Netherlands. Output is analysed on a daily basis.

The Intrusion Detection System (IDS) sends an email to the system administrator, also outside business hours. Also administrators can classify events as security incident after analysing the output.

Concepteurs uses a Security Incidents Register. We have a policy in place how to report an incident, how they should be classified, how to act depending on the classification.

Depending on the classification of the incident, appropriate actions will be set in motion. Incidents with the highest classification have to be reported to parent organization Volker Wessels immediately, they will decide if the incident has to be reported to the authorities. In all cases the administrator will be informed. The incident will be registered in the Security Incidents Register. Security incidents are reported to impacted customers as soon as is practicable and in line with Concepteurs Report Security Incidents Policy.

Concepteurs will work with customers to provide customer-specific security breach data. Data will be handed over after the identity of the person to whom the data is handed over is verified.

2.5 Identity and Access Management employees

There are employees within Concepteurs who have system-wide privileges for the entire cloud system. They have the ability and permissions to modify any cloud system. This is only possible if they switch to a particular project. These employees are authenticated against the Concepteurs user directory using LDAPS and is managed by the Concepteurs Infrastructure Team. For an account to gain this level of access, it must be enabled by the Concepteurs Infrastructure Team AND authorised by Concepteurs IT-Management.

Critical decisions for Concepteurs applications are authorised by the Concepteurs technical director, in combination with the team lead of the team that is responsible for the specific cloud application. Changes that impact the entire cloud system are discussed between all team leads. Due to the size of the Concepteurs team, some personnel have been granted multiple high-privilege roles. To mitigate this risk, all changes are logged and reviewed by a wide range of system administrators.

As per the Concepteurs Information Security Policy, Concepteurs uses a role based access policy (RBAC). The principle of least privilege is followed, though Concepteurs acknowledges some limitations to the segregation of duties it has been able to implement currently (see above).

Concepteurs has a process for de-provisioning credentials. For Concepteurs administrator credentials, the Concepteurs employment termination process includes steps to remove that employee from the Concepteurs user directory, which removes their access to Concepteurs centralised systems. For Concepteurs Hosting staff, additional steps are taken by the Concepteurs Hosting Manager to remove system-specific access that is separately provided to Concepteurs Hosting team members. The process for de-provisioning user accounts within the Concepteurs system instance is defined as part of the implementation project on a per-customer basis and is usually managed by the customer.

2.6 Identity and Access Management customers

Administrator roles can be given to customers to allow them to create/modify/delete accounts within their Concepteurs web application instance. Note that this access does not provide any avenue for access to or modification of any other customer’s information or services, or to the underlying hosting environment.

User accounts on the Concepteurs system are requested and authorised by authorised customer contacts. If the system is integrated with external authentication services, then account creation and management within that external system is the responsibility of the client.

To visit the Concepteurs web application a suitable password length is determined. The information is stored in a company-wide key vault, but users and employees can only access the information they are allowed to see. All keys are stored safely in the key vault of the cloud system. If there is a chance that any key is compromised, the person responsible is notified and a new key is generated.

2.7.Encryption

The virtual machines that are used to run Concepteurs applications are not encrypted, but data is. For databases, Concepteurs makes use of Microsoft Azure data at rest encryption, meaning that inactive data is automatically encrypted.

Concepteurs enforces the use of HTTPS on all applications, meaning that all webpages are encrypted (data in transit).

For databases, data at rest is automatically encrypted using the Microsoft Azure platform.

For the database data at rest encryption, Microsoft Azure holds access to the keys for decryption, which are stored in the Azure Key Vault. For HTTPS, upon each request, a new shared key is negotiated. This key is both available to the client browser and Concepteurs.

For the availability of encryption and decryption keys, Concepteurs relies on platforms from Microsoft Azure and LastPass. If the information becomes unavailable, Concepteurs has the option to escalate the issue to a high-priority issue at the corresponding external provider.

As part of our Information Security Management System a policy is defined which information should be encrypted and which not. The management system is in Dutch. Upon request we can send a copy.

2.8 Identity and Access Management offered to the cloud customer

Users in Concepteurs applications, and SitePodium in particular, have several roles:

  • View only: For customers who can only see data
  • Edit: For customers who can edit data for specific projects
  • Manager: For customers who can edit data for all projects of one client. They can also give permissions to other employees of the same client.
  • Administrator: Employees of product owner of SitePodium (Concepteurs) and employees of Concepteurs who work on SitePodium.

Customers do not have access to the Admin panel or other projects from other clients. Access to the admin panel of SitePodium is only granted to very few people.

Admin users (owners of SitePodium) are able to change the level of access for several users. Users with edit rights on a project, can grant access to other users for that specific project.

2.9 Asset Management

Assets are classified in terms of sensitivity and criticality. Concepteurs uses the DTAP strategy for segregation of systems. DTAP stands for Development, Testing, Acceptance, Production. Development, Testing and Acceptance stages use anonymous test data for development and testing. Where a single customer has multiple systems hosted with Concepteurs that require different levels of data classification, those systems are segregated in the same way that different customers are segregated.

3 Logical Security

 

3.1 System Security procedures

When there are changes in the system security in the following areas, the management team of Concepteurs makes decisions according to the change:

  • Information security
  • Privacy
  • Method of processing (special) personal data

With a major project change, a plan will be added to the proposal.

Developers do not have access to production systems and data unless they have administrator rights on production hosting systems. There are no conditions for granting developers access to the production systems and data.

Whenever employees are added, removed or change roles within the organisation, additionally, the user database is reviewed for appropriateness to access confidential information, quarterly depending on the system which is up for review.

The Technical Manager authorizes the access to systems that contain Customer information. The Technical & Functional Administrator executes granting the access.

3.2 Application Security procedures

Concepteurs has a formal documented security administration process in place to ensure that all application access is approved. Concepteurs uses a system in which access to applications has to be formally requested. Access can only be granted after approval.

The centralized security administration function facilitates periodic reviews of user access by business unit management to ensure that access remains commensurate with job responsibilities over time. These reviews are mostly executed by the Technical & Functional Administrator.

The Technical & Functional Administrator review every 3 months direct data access (i.e., Database Administrator access) to ensure that access remains commensurate with job responsibilities.

User ID’s and passwords are private (not shared). Under what circumstances? Only have knowledge of administrator passwords. They can login as a project user (another user), this does not require a password.

Customer data can only be accessed by Customer users. The assurance for the correct control of customer data rests on the fact that Concepteurs has documented and uses information segregation procedures and policies.

3.3 Network Security procedures

Concepteurs keep an up-to-date diagram that details the network that contains Customer systems. Azure network topology generates diagrams in real time.

All user data in databases stored on the Microsoft Azure platform is protected with IP whitelisting (next to strong user and password combinations). In the main office in Almelo, the Netherlands the network is protected with a network wide firewall and an intrusion detection system.

Our firewalls are tailored to permit the least possible amount of traffic.

Our firewalls are reviewed for appropriateness on a regular basis. At least with every update of the router software which is at least 4 times a year.

Concepteurs is monitoring potential security threats to the internal network. We have an intrusion detection system in place. The system warns the administrator on any suspect actions and is reviewed on an almost daily basis.

Remote access is granted to all employees but based and controlled by a central authentication system, a radius server. Even after remote access is granted, users must still authenticate to individual systems to gain access.

The network that Customer information resides on is segregated from the network that our employees are connected to. There is a separate network which is hosted on the Microsoft Azure cloud platform.

All wireless access points are located behind stateful firewalls. A separate guest network has been created from which guests cannot access internal resources.

4. Operational Security

 

4.1. Antivirus Mechanisms

All servers and workstations utilize an antivirus solution. As soon as updates are available and proven stable are the signatures and engines updated.

4.2. Backup and Recovery

Database differences are backed up about every 12 hours by the Microsoft Azure platform, while every week a full backup is created. All hosting related files are backed up once every week, which allows for quick redeployment of servers and applications.

The backups are stored at Microsoft Azure, in Western-Europe. The backups from databases are encrypted.

4.3 Software Assurance

All code for Concepteurs (SitePodium and white labels) is written by Concepteurs. Before deployment, each application is checked for a list of security protocols constantly updated based on pen test results from projects within the company. External dependencies are also checked for known vulnerabilities.

We validate all new releases to be sure they are fit-for-purpose and do not have risks. Most of the projects built by Concepteurs contain functional and/or unit tests, to validate a working system. After a developer has built a feature or wrote any other kind of code, it is always required to have this code validated by at least one fellow developer, to prevent any unwanted bugs or security issues.

Concepteurs follows industry best practice for avoiding web vulnerabilities to keep the applications safe, including (but not limited to):

  • SQL abstraction via an object manager to prevent SQL injection attacks
  • No direct command line access to prevent command injection
  • Automatic stripping of HTML to prevent XSS attacks
  • Security checklist upon deployment
  • Pen testing of applications

 

5 Data and Service Portability

 

5.1 Data Ownership:

All data in the cloud- other than Concepteurs’s proprietary underlying cloud system and technologies – remains ownership of the Customer. This includes but is not limited to any information that results from any processing of Customer data that occurs while on the cloud system, customer specific log files, customer specific access credentials, and any inputs and outputs of the customer cloud system.

5.2 Data and Service Portability

A subset of the data can be exported from the SitePodium applications via the web interface. If any more data is requested, this data can be provided by Concepteurs manually. Data is exported in a spreadsheet file (either Excel or a comma separated file).

Data can be exported to another cloud, as long as the other cloud provider meets the security standards set by Concepteurs, the application should be able to run on a different platform. The code is not written to stick to a specific platform.

The client cannot perform their own data extraction. This action can only be performed by Concepteurs.

6 Third-Party Organization Security (Subcontractors)

Most of the cloud infrastructure of Concepteurs is outsourced to Microsoft Azure:

  • Hosting infrastructure (Kubernetes on Azure Kubernetes)
  • Database (Microsoft Azure Databases)
  • Large file storage (Microsoft Azure Blob Storage)

Microsoft Azure is ISO27001 compliant and certified. Source: https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-iso-27001?view=o365-worldwide

7. Physical Security

 

7.1 Environmental Controls

Physically, the Microsoft Azure data centres we use are Tier IV (4).

The Microsoft Azure data centre facilitates Fire suppression and Backup in region to protect the systems that store Customer information

7.2 Data Centre Controls

The Microsoft Azure data centre facilitates:

  • Access request and approval
  • Physical security reviews
  • Data bearing devices
  • Equipment disposal

Only employees that are authorized by Microsoft Azure have access to the physical location of the data. Access is monitored by security officers. Next to that, to be able to move through the data centre, biometric authentication is used.

Authorizations to the Microsoft Azure data centre are only valid for a small period of time and expire afterwards.

More information about access to data centres can be found on: https://docs.microsoft.com/nl-nl/azure/security/fundamentals/physical-security

8. Business Continuity Management

Concepteurs maintains a documented method that details the impact of a disruption. A service page is maintained on which details can be viewed of what services are impacted and in which parts of the world.

In case of a disruption Concepteurs and Concepteurs will communicate with customers and end-users in the event of any interruption to service as soon as possible. Depending on the disruption; we will use communications channels like email, websites and the application itself.

Many failover operations are automatic, and service restoration is carried out simultaneously for all customers. For manual failover operations (such as promoting a secondary site to become the primary site) the order customers are recovered in has not been defined and is at the discretion of Concepteurs and the Concepteurs Hosting Manager. In that case priorities will be set in an issue list by Concepteurs.

9. Privacy

All data is stored in Western-Europe and subject to GDPR laws of the EU (which are very similar or maybe more stricter as Australian and North America laws and regulation).

We notify Customers and End-users about the personal information what will be collected. The privacy policy is available when the end-users download SitePodium. The privacy policy clearly states that Concepteurs and Concepteurs collects personal information only for the official conduct of business and that it will not use private or personally identifiable information for any purpose other than those purposes required in the provisioning of the service to the customer.

Our Privacy policy is available at https://www.sitepodium.com/privacy-policy/

10. Termination of services / End of contract

Upon Contract Termination, Concepteurs can obtain all the data via backup and hand it over to Customer. Timeframes and method are by mutual agreement.

All customer data will be securely destroyed upon termination of the contract. All data is stored in the Azure platform. When customers delete data or leave Azure, Microsoft follows strict standards for overwriting storage resources before their reuse, as well as the physical destruction of decommissioned hardware. Microsoft executes a complete deletion of data on customer request and on contract termination”. In the event data is stored on local disks, all customer data is securely wiped from disk drives using a 7-times overwrite process. Upon decommissioning of hard disks, disks are additionally degaussed before disposal. Where data is stored on SSD disks, vendor specific secure erasure procedures are used – a minimum of 7 overwrites is guaranteed for all customer data. Concepteurs does not anonymize and keep your data: All customer data is deleted. Concepteurs will destroy all customer data after verification with the customer that the data can be destroyed, but no later than 1 month after contract termination, unless the customer decides otherwise.

In case of bankruptcy, the cloud provider will provide the Customer to transfer information off of the provider’s servers.

When the cloud provider is acquired by another company, Concepteurs will investigate if the new owner will deliver the same service and security, or better, as the previous owner. If that is not the case, then Concepteurs will look for an alternative provider which meets the appropriate standards.