Inniti will abide by the security standards set forth below (“Security Standards”), which detail the actions taken by Inniti that are designed to ensure the security of the Inniti Services.
During the Subscription Term, these Security Standards may change without notice, as standards evolve or additional controls are implemented, or existing controls are modified as deemed reasonably necessary by Inniti, provided that such changes will not bring the Security Standards below industry-standard security measures.
Terms not defined herein will have the meanings ascribed to them in the relevant agreement for the Inniti Services entered into between the parties.
- Risk Management
- Regular information Security risk assessment is performed covering Inniti infrastructure.
- The risk assessment is conducted using an industry-standard methodology to aid in identifying, measuring, and treating known risks.
- Risk assessment results and risk mitigation suggestions are shared with the executive management team.
- The risk assessment results will specify proposed changes to systems, processes, policies, or tools to reduce security vulnerabilities and threats, if any.
- Security Policies
- Policies, including those related to data privacy, security, and acceptable use, are assessed and approved by Inniti’s senior management. Policies are documented and published among all relevant personnel.
- Employees and contracted third parties are required to comply with Inniti policies relevant to their scope of work.
- Information Security policies are stored, maintained, updated, and published in a centralised location accessible to employees and third parties.
- Inniti office space is secured from visitor access except for areas staffed by reception or security personnel.
- Communication and Operations Management
- The operation of third party systems and applications that support the Inniti Services are subject to documented operating procedures.
- The operations team maintains hardened standard server configurations. Systems are deployed and configured in a uniform manner using configuration management systems.
- Inniti maintains change control programs for development, operations, and Information Technology teams.
- Separate environments are maintained to allow for the testing of changes.
- Access Controls
- All users are required to use a unique ID and SSH key as well as a white-listed IP address for access to the production environment.
- Generic accounts are prohibited from user access. Access to the “root” account is restricted to operations personnel deemed necessary.
- All access to the back-end servers and network infrastructure require two levels of authentication, SSH access to the bastion host and SSH access to the individual servers or network devices.
- All access controls are based on “least privilege” and “need to know” principles. Different roles, including limited and administrative access, are used in the environment.
- Upon notice of termination of Inniti personnel, all user access is removed. All critical system access is removed immediately upon notification.
- Information Systems Development and Maintenance
- Product features are managed through a formalised product management process. Security requirements are discussed and formulated during scoping and design discussions.
- Inniti maintains a sustaining engineering team whose primary responsibility is identifying and remediating bugs found in the Inniti Service.
- Source code repositories are scanned regularly by a static analysis/code quality tool. Security issues are validated, risk ranked, and placed in a dedicated bug tracking system for remediation.
- Inniti maintains a QA function dedicated to reviewing and testing application functionality and stability.
- Emergency fixes are pushed to production as needed. Change management is retrospectively performed.
- All Inniti equipment has CE marking.
- Transfer of data from the Customer Equipment via the Inniti Connector to the Inniti Edge server either happens via a secure local network set up by Inniti or via Customers own secure network.
- All Customer data transferred from Customer’s local premise via Inniti Edge Server to Inniti’s platform is encrypted.
- All Customer data made available on the Inniti platform is encrypted using AES256 complaint with FIPS 140-2 and hosted in a Microsoft Azure server.
- All Inniti Connectors undergo quality control before being deployed to Customer.
Last updated February 1 2022