Security & Compliance

Security and compliance are top priorities for Zefort.  We are committed to securing your data, eliminating systems vulnerability, and ensuring continuity of access.

ISO 27001:2013 certification

Aivan Innovations Oy, the company behind Zefort, has been certified to the ISO 27001:2013 information security standard.   The certification scope includes design, development, service support and operation of the Zefort Contract Management system.

The certification was received on September 18, 2019 and can be viewed here: ISO27001 EN Aivan Innovations

According to the requirements of the standard, Aivan Innovations Oy has developed and implemented an Information Security Management System (ISMS).

The ISMS is a set of processes, tools, and guidelines to formally manage various aspects of information security, such as planning and leading information security processes, risk assesment and treatment, competence and awareness, operational planning and control, monitoring, internal audits, continuous improvement, as well as a number of mandatory technical security controls.

GDPR

Aivan Innovations Oy adheres to the EU’s General Data Protection Regulation (GDPR).

If you plan to store personal data in Zefort, we can provide a Data Processing Agreement with Aivan Innovations Oy taking the Data Processor role as defined in the GDPR.

Physical Security

Zefort is currently hosted on facilities provided by UpCloud Oy (primary) and Hetzner Gmbh (backups).  The data centers are located in Finland and other EU countries and feature extensive safeguards such as:

  • Alarms
  • Perimeter fencing
  • Electronic access control
  • 24/7 monitoring
  • Access logs and activity records
  • Interlocking doors
  • Uninterrupted power supply
  • ISO 27001 certification

We reserve the right to migrate to a different hosting provider, if necessary.

System Security

Zefort infrastructure runs on hardened Linux servers.  Security updates are continuously performed.

Only designated Zefort operations team members have access to configure the infrastructure on as as-needed basis.

All privileged operative access to Zefort servers and infrastructure is secured with a VPN, HTTPS or SSH, authenticated using mandatory 2-factor authentication, and extensively logged.

Infrastructure logs are sent to a separate append-only logging system.

Network Security

The network infrastructure has multiple redundant connections, state-of-the-art high capacity networking hardware, and DDoS protection.

Industry best practices are followed to properly isolate networks and servers to prevent unnecessary inbound and outbound network connections.

Third-Party Audits

Zefort undergoes third-party independent audits on a regular basis and can provide the latest ISO 27001 certificate upon request.

Business Continuity and Disaster Recovery

The Zefort service keeps hourly encrypted backups of data in multiple regions on the chosen hosting providers.  While not expected, in the case of production data loss (i.e., primary data stores lost), we will restore data from these backups.

In the event of a region- or datacenter-wide outage, Zefort will bring up a duplicate environment in a different region or datacenter.

Data Security and Privacy

All data on Zefort servers is encrypted at rest using industry best practice algorithms.  Cryptography keys are stored and managed in a Key Management Service.

Data is sent and received over networks exclusively over secure connections using HTTPS, SSH, or other secure protocols.  This applies to both server-to-server communication inside Zefort, as well as data flowing in or out of Zefort when accessed via Zefort’s user interface and REST APIs.

Data Removal

All customer data stored on Zefort servers is removed upon termination of service without undue delay.  Data can also be deleted via Zefort’s REST API and user interface.  Removed data left on backups will be removed according to the backup retention schedule.

Private Instances

If your organization requires data isolation, Zefort can provide a Private Instance for a single tenant deployment dedicated for your organization.

Private Instances ensure resources and liabilities are not shared with other Zefort customers.

Private Instances can be spun up in various geographic regions, or even to a datacenter of your own choosing.

User Authentication

Single Sign-On (SSO) using the SAML 2.0 protocol is available as a standard feature on the Enterprise plan.  This enhances user-based security, allows custom authentication flows including two-factor authentication, and streamlines user provisioning and deprovisioning.   Zefort integrates with SAML identity providers including Microsoft Active Directory Federation Service (ADFS), Microsoft Azure AD, Google G Suite, F5 and OneLogin.

Access Control and Audit Logs

Zefort provides flexible tools to manage access control to keep your data safe, secure, and centrally managed.

Access to content and various administrative areas in your Zefort account is determined by the user role and access rights granted individually or through user groups.

All access and modification to data stored in Zefort by your users is extensively logged.  These audit logs can be viewed by administrator users with the necessary access rights.

Your Zefort account can be configured to allow usage only from designated IP addresses, such as your corporate VPN exit points.

Email Security

The Zefort service sends email notifications and other transactional email to users.   Outbound email is sent directly from Zefort’s servers to receiving servers, encrypted with SSL.  Outbound emails are authenticated using DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Zefort conforms to the DMARC authentication and reporting protocol.

Data can also be sent to Zefort via inbound email.   Zefort runs it’s own email infrastructure, and incoming emails are normally sent from your sending servers directly to Zefort’s servers, encrypted with SSL.

Email addresses for incoming email are randomly generated to make it more difficult to send untrusted data into Zefort.

In case you have policies preventing you for using email for contract data, incoming email can be disabled for your organization’s Zefort account.

Security Policies

An overview of specific security policies is available to Zefort Enterprise customers upon request:

  • Information Security
  • Risk Management
  • Security Incident Response
  • Vulnerability Management
  • Policy Management and Maintenance
  • Change Management
  • System Access