What makes Zefort secure – an inside look to our security practices
One of Zefort’s key promises is to provide bank-level security to all its customers and the customer data entrusted to us. What does this mean in practice and why does security matter? In this post, we’ll take a closer look at security at Zefort.
In general, security refers to all the practices, measures and technical decisions taken to ensure that Zefort’s systems and data can only be accessed by authorized persons, the data is never lost (data availability) and can only be changed by authorized persons (data integrity). In day-to-day use, security is often hidden from plain sight – but there’s a lot going on under the hood.
Security is a top priority for many of our customers, which include banks, healthcare companies and top legal firms. The requirements we have to meet are really tough – as they should be. What’s great is that setting the bar high benefits all our customers as the core security features are common to all customers, regardless of their size.
So, how do we redeem our promise on security? Let’s dive in!
ISO 27001 – the standard for our everyday work
Zefort has been issued with the ISO 27001:2013 standard for information security management (you can view our certificate here). According to the requirements of the standard, we have developed and implemented our Information Security Management System (ISMS).
For us, the certificate and ISMS are much, much more than a badge on our website or a casual bumper sticker – they guide how our development team works, how we secure customer data and how we plan for unpleasant surprises, such as breaches or service outages.
The ISMS is a set of processes, tools, and guidelines to formally manage various aspects of information security, such as
- planning and leading information security processes,
- risk assessment and treatment,
- personnel competence and awareness,
- operational planning and control,
- monitoring and internal audits,
- continuous improvement,
- a number of mandatory technical security controls.
To ensure that the quality stays high, retaining the ISO 27001 certification means that we have to pass an independent third-party audit on a regular basis.
System security on multiple levels
From a more technical perspective, Zefort enforces security on many different levels. To see all the details, please check out our Security & Compliance page.
As a simplified summary, we enforce
- physical security that relates to the data centers and hosting facilities we use for running Zefort,
- system security that relates to the server infrastructure on which Zefort works,
- network security that ensures the continuous capacity and availability of our services,
- data security that defines how data and server-to-server communication is encrypted, and
- email security: we run our own encrypted email infrastructure for sending notifications and transactional emails to service users.
Zefort also undergoes annual cybersecurity penetration testing conducted by an independent third party. We provide testers with a dedicated testing environment with no exposure to any customer data.
Within the Zefort service, we enhance security with several features, such as Single-Sign-On (SSO) user authentication for Enterprise customers and Audit Logs that allow you to investigate what happens with your data.
Zefort is fully GDPR compliant
Zefort’s service fully adheres to the EU General Data Protection Regulation (GDPR), making it safe for you to store any personal data in Zefort. If necessary, we can provide a Data Processing Agreement and take the Data Processor role as defined in the GDPR. The GDPR compliance also applies to Zefort’s carefully selected data sub-processors.
How can I help?
I hope the above has illustrated how seriously we take security at Zefort. If you have any questions or concerns, please do not hesitate to contact our security team at security@zefort.com or myself directly.
Ville Laurikari
Zefort CTO, co-founder
Tel: +358407077105
ville@zefort.com
