OptimiDoc, partners, and customers are responsible for customer data security.
OptimiDoc is mainly responsible for the security of the following:
-
Application development
-
Physical protection
-
Virtual infrastructure
-
Data Security
-
Backup and Log policy
Partners and customers are responsible for managing customers' accounts, users, rights and data governance. It requires strict compliance with all security and safety demands.
Application Development Security
OptimiDoc reviews and validates the application source code to ensure the highest level of customer protection against any security incidents.
Source code analysis tools, also known as Static Application Security Testing (SAST) Tools, are used to analyse source code or compiled versions of code to help find security flaws.
Additionally, OptimiDoc performs penetration testing of OptimiDoc Cloud apps regularly.
Results of SATS and penetration tests are analysed, triaged, and prioritised. All necessary remediation steps are realised in a timely manner.
Physical protection
OptimiDoc outsources hosting its platform infrastructure to leading cloud infrastructure provider Microsoft and its Azure platform.
Microsoft Azure infrastructure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. It also meets country or region-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence to the strict security controls these standards mandate.
Virtual infrastructure
Virtual infrastructure security policy can be split into the following parts:
-
Network security
o Complete production infrastructure is isolated from non-production networks and other solutions provided by OptimiDoc. Direct access to virtual infrastructure is forbidden from non-production networks to servers and network devices in a production network.
o Only temporary access from OptimiDoc offices is allowed to realise maintenance and upgrade operations.
-
Access policy
o OptimiDoc Cloud follows the principle of least privilege. Organisation responsibility is divided amongst organisations, and specific roles are assigned to manage those responsibilities.
o MFA is required for all employees across the organisation.
-
Update and maintenance policy
o OptimiDoc periodically monitors and applies the latest application and operating security patches.
-
Intrusion protection
o Microsoft Azure Environment protects against network intrusion, data theft, and other threats like malware (even at the hardware level) and DoS attacks.
Data Security
Any access to customer data is strictly restricted except in reasonable cases. OptimiDoc Cloud staff can access your company data in case of need:
-
Legal Requirements
-
Support requests
-
System issues and bug resolution
OptimiDoc Cloud uses Microsoft Azure Database. The database is accessible only from the OptimiDoc Cloud infrastructure (resource group). In the case of service tasks, access to a defined location is temporarily enabled. All accesses are audited in Audit logs and turned on by the Advanced Data Security service.
Data stored in OptimiDoc Cloud is encrypted and decrypted using a 256-bit AES encryption cypher - one of the strongest block cyphers available - and is FIPS 140-2 compliant. Print & Scan job data are stored temporarily only for the necessary time.
The complete OptimiDoc Cloud Azure infrastructure is separated into a defined resource group and continuously follows regulatory compliance standards.
OptimiDoc uses the industry standards TLS (1.2 and higher) protocols for data transfer to ensure data transmission security.
Backup and Log policy
Daily backups are performed over the OptimiDoc Cloud data centres. Not all data is backed up; some data is transient and governed by strict lifecycle rules (i.e., print jobs stored in the Cloud Node or scan jobs waiting for delivery). As soon as the jobs are delivered, the data is permanently deleted. This minimises the period in which we retain potentially sensitive data.
Before any critical operations, such as OS/Application upgrading, architectural or security changes, a necessary backup is taken.
Necessary logs are maintained to track the user operations and instances' health checks.
OptimiDoc Cloud availability monitoring
OptimiDoc uses independent monitoring services to check the availability status of all services and datacentres. Monitoring services allow clients to register and obtain automatic email notifications in case of system failure.
The monitoring service also provides notifications of planned maintenance outages and incidents with resolution time.
Live monitoring of OptimiDoc Cloud Datacentres is available: https://status.optimidoc.cloud