Security At indema
indema is available to its users as a Software-as-a-Service or SaaS solution. Meaning that an instance of the software (site) is created for each client, and they can access it wherever they are, as long as they have internet access.
The software contains many features in itself, but it also acts as a hub integrating external services such as QuickBooks, and other financial systems, email, reporting suites, Google Calendar, and thousands of other applications available through Zapier. The client controls which other services they connect to.
Having this much data and different access points to it is a lot of responsibility. indema is adamant about data security, and we put a lot of effort into ensuring our users’ data is protected from unwanted parties. Security is controlled on many levels. Within each instance, there are possibilities to grant access rights to different user groups. Permissions for integrating external products or exposing data over the API can be set for each service and are managed by the site’s admin. The software is pen tested annually based on OWASP Application Security Verification Standard. In the case of major feature releases, additional penetration tests are carried out prior to those features being released to users.
indema software is hosted at various AWS data centers.
indema’s back platform (Where you work) is hosted entirely on Amazon Web Services (AWS), providing end-to-end security and privacy features built in. Our team takes additional proactive measures to ensure a secure infrastructure environment. For additional, more specific details regarding AWS security, please refer tohttps://aws.amazon.com/security/.
indema’s front website that is publicly accessible is hosted on Endurance International Group (EIG) web servers on a Virtual Private Server (VPS) with a dedicated IP address.
indema understands the risks related to data security and works proactively to manage and resolve them. What follows is a detailed overview of how indema handles, stores, and secures the data across all data centers.
Upgrades and Maintenance
indema has regular maintenance windows for updates and backups. Backups are made nightly and do not affect user experience. During updates, indema services are not available for users. This usually takes 30 seconds, but on rare occasions and for larger sites it may take a bit longer.
indema has a regular update and improvement cycle. In 2020, there were six major releases or versions. Minor upgrades are released only for security or user experience improvement purposes and are done without interfering with site availability.
Hosting Infrastructure, Backup and Disaster Recovery
indema uses Amazon Web Services to host its infrastructure.
The documented plans for recovering indema’s operations and network connectivity in the event of a local or regional disaster are storing backups in multiple locations. The data recovery plans are updated and tested annually.
The Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for indema users’ hosted instances are up to 12 hours for the whole site accordingly. This means that within 12 hours all sites should be reverted to a working mode.
indema user accounts databases and files are backed up daily.
Integration, Data Import, Export, and Location
indema exposes web services over an API – an interface for accessing clients’ indema account data using HTTPS and JSON. The API makes it easy to create web and desktop applications that integrate with clients’ data in indema.
indema users can export data from indema to their own solutions by extracting export files in CSV format. The same file formats are also supported for data import to indema for specific modules.
Performance and Benchmarking
indema’s system runs on a high-availability and scalable setup. This means that based on the site’s load more worker instances are created to facilitate the load. Additionally, the workers are distributed across multiple nodes in different availability zones that guarantee uptime even in case of a technical issue with one node or entire availability zone, more recently seen (December 2021) with AWS logistical services making all of Amazon deliveries blacked out for over 24 hours.
indema is continuously working on making the product faster. This includes improving the code base, underlying infrastructure, and also testing new solutions.
Architecture and Supported Platforms
indema can be used with any modern web browser. The system works on all desktop/laptop operating systems (Windows, Macintosh, etc.).
indema supports the main modern tablet operating systems (iOS, Android, etc.), limited to a browser. indema does not yet support mobile phones, and while you access indema through a browser, your experience using indema on a smart phone would be limited.
Security
indema has internal processes and policies in place covering software development, employee access management, infrastructure management, etc. We continue improving our security policies and procedures, for that, we have implemented an Information Security Working group, that is responsible for the continuous improvement of policies, processes, and security practices.
indema uses HTTPS encryption protocol for every transaction. All passwords are hashed with an aes-256-cbc cypher using salt.
The threat of information being mistakenly disclosed to unauthorized people is addressed by awareness and training, removal of unnecessary data (electronic and paper), use of screen savers and lockouts, verification of the identity of individuals requesting access, and other relevant safeguards that enforce the principle of “need to know.”
The threat of information knowingly being misused by indema’s workforce and contractors are addressed by policy and practice, background checks, role-based access to information, oversight of data authorization by a supervisor, terminating access to data for terminated employees and employees changing job functions, prohibition on sharing passwords, and other relevant safeguards.
The threat of physical theft or loss of data is being addressed by policies on the storage of confidential data on laptops, USB drives, and other portable devices, encryption of data on portable devices, removal of unnecessary information, physical protection of desktops and servers, and other relevant safeguards.
The controls in use to address community concerns regarding privacy practices are covered in Terms of Use.
For credit-card-based and other e-commerce transactions executed through indema, the transaction security is being assured by indema’s trusted partner stripe. indema does not store any information regarding the client’s credit cards except the expiration date and last four digits of the credit card to show the client what card is being used.
indema supports Secure Sockets Layer with 128-bit or stronger encryption for connecting to the application.
There are internal background checks on personnel with administrative access to servers, applications, and client data. Four members of indema are dedicated to application and infrastructure security.
indema’s helpdesk is managed via email, no external access is given to the client.
Conclusion
Thank you for expressing your interest in indema’s security practices.
indema is continuously improving its security measures, policies, processes, practices, technologies, and therefore the information found in this document is subject to change.
In case any questions or specific topics not addressed in this document arise, feel free to contact our Customer Support by emailing [email protected].
In case of a found vulnerability, we kindly ask you to contact our support team at [email protected] and advise us. Thank you.