Security & Compliance
Last Updated on : December 3, 2024
Security and compliance are top priorities for Zefort. We are committed to securing your data, eliminating systems vulnerability, and ensuring continuity of access.
ISO/IEC 27001:2022 certification
Aivan Innovations Oy, the company behind Zefort, has achieved ISO 27001:2022 certification for its Information Security Management System (ISMS). The certification scope is wide: protection of information within the Zefort Contract Management service.
The certification was last updated on September 9, 2024 and can be viewed here: ISO27001 EN Aivan Innovations
According to the requirements of the standard, Aivan Innovations Oy has developed and implemented an Information Security Management System (ISMS).
The ISMS is a set of processes, tools, and guidelines to formally manage various aspects of information security, such as planning and leading information security processes, risk assessment and treatment, competence and awareness, operational planning and control, monitoring, internal audits, continuous improvement, as well as a number of mandatory technical security controls.
GDPR
Aivan Innovations Oy adheres to the EU’s General Data Protection Regulation (GDPR).
If you plan to store personal data in Zefort, we can provide a Data Processing Agreement with Aivan Innovations Oy taking the Data Processor role as defined in the GDPR.
Physical Security
Zefort is currently hosted on facilities provided by Hetzner Gmbh and Amazon Web Services. The data centers are located in Finland and other EU countries and feature extensive safeguards such as:
- Alarms
- Perimeter fencing
- Electronic access control
- 24/7 monitoring
- Access logs and activity records
- Interlocking doors
- Uninterrupted power supply
- ISO 27001 certification
Zefort employees do not have physical access to the equipment used to provide our services.
We reserve the right to migrate to a different hosting provider, if necessary.
System Security
Zefort infrastructure runs on hardened Linux servers. Security updates are continuously performed.
Only designated Zefort operations team members have access to configure the infrastructure on as as-needed basis.
All privileged operative access to Zefort servers and infrastructure is secured with a VPN, HTTPS or SSH, authenticated using mandatory 2-factor authentication, and extensively logged.
Infrastructure logs are sent to a separate append-only logging system.
Network Security
The network infrastructure has multiple redundant connections, state-of-the-art high capacity networking hardware, and DDoS protection.
Industry best practices are followed to properly isolate networks and servers to prevent unnecessary inbound and outbound network connections.
Third-Party Audits and Penetration Testing
Zefort undergoes third-party independent audits for ISO 207001 compliance on a regular basis and can provide the latest ISO 27001 certificate upon request.
Zefort also undergoes annual penetration testing conducted by an independent third party. We provide testers with a dedicated testing environment and the necessary information to perform security testing. No customer data is exposed during such tests. A summary of penetration testing findings is available upon request to enterprise customers.
Business Continuity and Disaster Recovery
The Zefort service keeps hourly encrypted backups of data in multiple regions on the chosen hosting providers. While not expected, in the case of production data loss (i.e., primary data stores lost), we will restore data from these backups.
In the event of a region- or datacenter-wide outage, Zefort will bring up a duplicate environment in a different region or datacenter.
Data Security and Privacy
All data on Zefort servers is encrypted at rest using industry best practice algorithms. Cryptography keys are stored and managed in a Key Management Service.
Data is sent and received over networks exclusively over secure connections using HTTPS, SSH, or other secure protocols. This applies to both server-to-server communication inside Zefort, as well as data flowing in or out of Zefort when accessed via Zefort’s user interface and REST APIs.
Data Removal
All customer data stored on Zefort servers is removed upon termination of service without undue delay. Data can also be deleted via Zefort’s REST API and user interface. Removed data left on backups will be removed according to the backup retention schedule.
Private Instances
If your organization requires data isolation, Zefort can provide a Private Instance for a single tenant deployment dedicated for your organization.
Private Instances ensure resources and liabilities are not shared with other Zefort customers.
Private Instances can be spun up in various geographic regions, or even to a datacenter of your own choosing.
User Authentication
Single Sign-On (SSO) using the SAML 2.0 protocol is available as a standard feature on the Enterprise plan. This enhances user-based security, allows custom authentication flows including two-factor authentication, and streamlines user provisioning and deprovisioning. Zefort integrates with SAML identity providers including Microsoft Active Directory Federation Service (ADFS), Microsoft Azure AD, Google G Suite, F5 and OneLogin.
Access Control and Audit Logs
Zefort provides flexible tools to manage access control to keep your data safe, secure, and centrally managed.
Access to content and various administrative areas in your Zefort account is determined by the user role and access rights granted individually or through user groups.
All access and modification to data stored in Zefort by your users is extensively logged. These audit logs can be viewed by administrator users with the necessary access rights.
Your Zefort account can be configured to allow usage only from designated IP addresses, such as your corporate VPN exit points.
Email Security
Zefort runs it’s own email infrastructure, so emails are sent and received directly to/from. Zefort's servers without extra third party email services.
The Zefort service sends email notifications and other transactional email to users. Zefort sends emails directly from Zefort’s servers to receiving servers, encrypted with SSL. Emails are authenticated using DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Zefort conforms to the DMARC authentication and reporting protocol.
Data can also be sent to Zefort via inbound email. Zefort does not accept unencrypted connections at all for inbound emails.
Email addresses for incoming email are randomly generated to make it more difficult to send untrusted data into Zefort.
In case you have policies preventing you for using email for contract data, incoming email can be disabled for your organization’s Zefort account.
Vulnerability Disclosure
Anyone can report a security concern or vulnerability with a Zefort product or service to security@zefort.com.
We greatly value high quality reports about actual issues.
Include a proof of concept or detailed explanation, tools used, and their output. We take all reports seriously. Upon receiving a report, we quickly verify the vulnerability to decide on the necessary steps. Once verified, we send status updates as the problems are fixed.
We ask you to refrain from performing uninvited security testing on Zefort's production systems. Instead, use sandbox.zefort.com to develop your proof of concept.
To encrypt sensitive information, our PGP key can be found on keyservers with the fingerprint:
B1FA BB49 98A5 611F 7282 5453 D397 0137 D4DE 101F
Data sub-processors
A sub-processor is a third party data processor engaged by Zefort, who has or potentially will have access to or process personal data. Zefort engages different types of sub-processors to perform various functions as explained in the table below.
Zefort evaluates the security and privacy practices of sub-processors whom we wish to contract to ensure that they are in line with Zefort's information security and privacy standards. We then execute appropriate data protection agreements with them.
Sub-processor | Type | Location of processing |
---|---|---|
Hetzner GmbH | Cloud Service Provider | EU/EEA (Helsinki, Finland and Falkenstein, Germany) |
Amazon | Cloud Service Provider | EU/EEA ( Stockholm, Sweden) |
Scaleway | Cloud Service Provider | EU/EEA (Paris, France) |
Zoho Corporation B.V. | Customer support services | EU/EEA |
HubSpot Inc. | Marketing automation services | EU/EEA |
Telia Finland Oyj | Authentication services related to Zefort Sign | EU/ETA |
Nets Branch Norway | Authentication services related to Zefort Sign | EU/ETA |
EID Easy OÜ | Authentication services related to Zefort Sign | EU/ETA |
Link Mobility Oy | SMS services | EU/ETA |