Security & Compliance
Last Updated on : September 13, 2023
Security and compliance are top priorities for Zefort. We are committed to securing your data, eliminating systems vulnerability, and ensuring continuity of access.
ISO/IEC 27001:2013 certification
Aivan Innovations Oy, the company behind Zefort, has been certified to the ISO 27001:2013 information security standard. The certification scope is wide: protection of information within the Zefort Contract Management service.
The certification was last updated on September 12, 2022 and can be viewed here: ISO27001 EN Aivan Innovations
According to the requirements of the standard, Aivan Innovations Oy has developed and implemented an Information Security Management System (ISMS).
The ISMS is a set of processes, tools, and guidelines to formally manage various aspects of information security, such as planning and leading information security processes, risk assessment and treatment, competence and awareness, operational planning and control, monitoring, internal audits, continuous improvement, as well as a number of mandatory technical security controls.
Aivan Innovations Oy adheres to the EU’s General Data Protection Regulation (GDPR).
If you plan to store personal data in Zefort, we can provide a Data Processing Agreement with Aivan Innovations Oy taking the Data Processor role as defined in the GDPR.
Zefort is currently hosted on facilities provided by Hetzner Gmbh and Amazon Web Services. The data centers are located in Finland and other EU countries and feature extensive safeguards such as:
- Perimeter fencing
- Electronic access control
- 24/7 monitoring
- Access logs and activity records
- Interlocking doors
- Uninterrupted power supply
- ISO 27001 certification
Zefort employees do not have physical access to the equipment used to provide our services.
We reserve the right to migrate to a different hosting provider, if necessary.
Zefort infrastructure runs on hardened Linux servers. Security updates are continuously performed.
Only designated Zefort operations team members have access to configure the infrastructure on as as-needed basis.
All privileged operative access to Zefort servers and infrastructure is secured with a VPN, HTTPS or SSH, authenticated using mandatory 2-factor authentication, and extensively logged.
Infrastructure logs are sent to a separate append-only logging system.
The network infrastructure has multiple redundant connections, state-of-the-art high capacity networking hardware, and DDoS protection.
Industry best practices are followed to properly isolate networks and servers to prevent unnecessary inbound and outbound network connections.
Third-Party Audits and Penetration Testing
Zefort undergoes third-party independent audits for ISO 207001 compliance on a regular basis and can provide the latest ISO 27001 certificate upon request.
Zefort also undergoes annual penetration testing conducted by an independent third party. We provide testers with a dedicated testing environment and the necessary information to perform security testing. No customer data is exposed during such tests. A summary of penetration testing findings is available upon request to enterprise customers.
Business Continuity and Disaster Recovery
The Zefort service keeps hourly encrypted backups of data in multiple regions on the chosen hosting providers. While not expected, in the case of production data loss (i.e., primary data stores lost), we will restore data from these backups.
In the event of a region- or datacenter-wide outage, Zefort will bring up a duplicate environment in a different region or datacenter.
Data Security and Privacy
All data on Zefort servers is encrypted at rest using industry best practice algorithms. Cryptography keys are stored and managed in a Key Management Service.
Data is sent and received over networks exclusively over secure connections using HTTPS, SSH, or other secure protocols. This applies to both server-to-server communication inside Zefort, as well as data flowing in or out of Zefort when accessed via Zefort’s user interface and REST APIs.
All customer data stored on Zefort servers is removed upon termination of service without undue delay. Data can also be deleted via Zefort’s REST API and user interface. Removed data left on backups will be removed according to the backup retention schedule.
If your organization requires data isolation, Zefort can provide a Private Instance for a single tenant deployment dedicated for your organization.
Private Instances ensure resources and liabilities are not shared with other Zefort customers.
Private Instances can be spun up in various geographic regions, or even to a datacenter of your own choosing.
Single Sign-On (SSO) using the SAML 2.0 protocol is available as a standard feature on the Enterprise plan. This enhances user-based security, allows custom authentication flows including two-factor authentication, and streamlines user provisioning and deprovisioning. Zefort integrates with SAML identity providers including Microsoft Active Directory Federation Service (ADFS), Microsoft Azure AD, Google G Suite, F5 and OneLogin.
Access Control and Audit Logs
Zefort provides flexible tools to manage access control to keep your data safe, secure, and centrally managed.
Access to content and various administrative areas in your Zefort account is determined by the user role and access rights granted individually or through user groups.
All access and modification to data stored in Zefort by your users is extensively logged. These audit logs can be viewed by administrator users with the necessary access rights.
Your Zefort account can be configured to allow usage only from designated IP addresses, such as your corporate VPN exit points.
Zefort runs it’s own email infrastructure, so emails are sent and received directly to/from. Zefort's servers without extra third party email services.
The Zefort service sends email notifications and other transactional email to users. Zefort sends emails directly from Zefort’s servers to receiving servers, encrypted with SSL. Emails are authenticated using DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Zefort conforms to the DMARC authentication and reporting protocol.
Data can also be sent to Zefort via inbound email. Zefort does not accept unencrypted connections at all for inbound emails.
Email addresses for incoming email are randomly generated to make it more difficult to send untrusted data into Zefort.
In case you have policies preventing you for using email for contract data, incoming email can be disabled for your organization’s Zefort account.
Anyone can report a security concern or vulnerability with a Zefort product or service to firstname.lastname@example.org.
Include a proof of concept, tools used, and their output. We take all reports seriously. Upon receiving a report, we quickly verify the vulnerability to decide on the necessary steps to fix it. Once verified, we send status updates as the problems are fixed.
We ask you to refrain from performing uninvited security testing on Zefort's production systems. Instead, use sandbox.zefort.com to develop your proof of concept.
To encrypt sensitive information, our PGP key can be found on keyservers with the fingerprint:
A sub-processor is a third party data processor engaged by Zefort, who has or potentially will have access to or process personal data. Zefort engages different types of sub-processors to perform various functions as explained in the table below.
Zefort evaluates the security and privacy practices of sub-processors whom we wish to contract to ensure that they are in line with Zefort's information security and privacy standards. We then execute appropriate data protection agreements with them.
|Sub-processor||Type||Location of processing|
|Hetzner GmbH||Cloud Service Provider||EU/EEA, Finland, Germany|
|Amazon||Cloud Service Provider||EU/EEA, Stockholm|
|Zoho Corporation B.V.||Customer support services||EU/EEA|
|HubSpot Inc.||Marketing automation services||EU/EEA|