Technical & Organizational Security Measures

Welcome, and thank you for your interest in 1CRM Systems Corp.

This document is a high-level overview of 1CRM’s technical and organizational measures.

1CRM may change these measures from time to time to adapt to the evolving security landscape and where required will notify customers of these changes.

  1. Definitions
  2. Organization of Information Security
  3. Information Security Management System
  4. Physical Access
  5. System Access
  6. Data Access
  7. Data Transmission / Storage / Destruction
  8. Confidentiality and Integrity
  9. Availability
  10. Data Separation
  11. Incident Management
  12. Audit

1. Definitions

This document describes technical and organizational security measures and controls implemented by 1CRM to protect the data customers entrust to us as part of the 1CRM service.

Within this document, the following definitions apply:

  • Customer” means any subscriber to the 1CRM service.
  • 1CRM Service” means the Software-as-a-Service provided by 1CRM to our Customers.
  • Customer Data” means any information provided or submitted by the Customer that is processed by the 1CRM service.
  • Personal Data” means any information relating to an identified or identifiable natural person.
  • Personnel” means 1CRM employees and authorized individual contractors/vendors.
  • Strong Encryption” means the use of industry standard encryption measures.

2. Organization of Information Security:

Objective: 

To outline 1CRM’s information security structure.

Measures: 

  1. 1CRM employs full-time dedicated trained/certified security Personnel responsible for information security.
  2. The information security function reports directly to the 1CRM senior leadership team.
  3. 1CRM has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
  4. All 1CRM Personnel have signed legally reviewed confidentiality agreements.
  5. All 1CRM Personnel are given training in information security.

3. Information Security Management System

Objective: 

To demonstrate 1CRM’s commitment to manage the assessment and treatment of these risks and to continually improve its information security.

Measures: 

  1. 1CRM has deployed an ISMS (Information Security Management System) that serves as the foundation of our information security practices.

4. Physical Access

Objective: 

To protect the physical assets that contain Customer Data.

Measures: 

  1. The 1CRM Service operates from several industry-certified Microsoft Azure data centers (in the USA, Canada, Australia, Singapore and the European Union) with a defined and protected physical perimeter, strong physical controls including access control mechanisms, controlled delivery and loading areas, surveillance, and security guards.
  2. Each Data Center is audited for compliance to 1CRM security protocols.
  3. Only authorized Personnel have access to the data center premises housing Customer Data and access is controlled through a security registration process requiring a government issued photo ID.
  4. Microsoft has made commitments to support GDPR compliance. Specifically see Attachment 4 to their Online Service Terms, updated May 2018.
  5. The production data centers and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents.
  6. Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities, and is appropriately maintained.

5. System Access

Objective: 

To ensure systems containing Customer Data are used only by approved, authenticated users.

Measures: 

  1. Access to 1CRM systems is granted only to 1CRM Personnel and/or to permitted employees of 1CRM’s subcontractors and access is strictly limited as required for those persons to fulfil their function.
  2. All users access 1CRM systems with a unique identifier (UID).
  3. 1CRM has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form.
  4. Full administrator access to systems containing Customer Data is only possible through a secure VPN tunnel and require a second factor of authentication.
  5. 1CRM has a comprehensive process to deactivate users and their access when Personnel leaves the company or a functional role.
  6. All access or attempted access to systems is logged and monitored.

6. Data Access

Objective: 

To ensure Personnel entitled to use systems gain access only to the Customer Data that they are authorized to access.

Measures: 

  1. As a matter of course, 1CRM Personnel do not access Customer Data and where access is required to operate the service or assist in a customer issue, the request for access must be formally justified/tracked and approved by the customer.
  2. 1CRM restricts Personnel access to Customer Data on a “need-to-know” basis based on this justification.
  3. Each such access and its subsequent operations are logged and monitored.
  4. Personnel training covers access rights to and general guidelines on definition and use of Customer Data.

7. Data Transmission / Storage / Destruction

Objective: 

To ensure Customer Data is not read, copied, altered or deleted by unauthorized parties during transfer/storage.

Measures: 

  1. Customer access to the 1CRM Service portals are protected by the most current version of Transport Layer Security (TLS).
  2. 1CRM uses Strong Encryption in the transmission of Customer Data within our production data centers, and between our data centers and customer devices.
  3. Upon Customer’s request, Customer Data will be promptly deleted.
  4. 1CRM equipment or disk media containing Customer Data are not physically removed from the production data center unless securely erased prior to such removal or being transferred securely for destruction at a third-party site.

8. Confidentiality and Integrity

Objective: 

To ensure Customer Data remains confidential throughout processing and remains intact, complete and current during processing activities.

Measures: 

  1. 1CRM has a formal background check process and carries out background checks on all new Personnel.
  2. 1CRM trains its engineering Personnel in application security practices and secure coding practices.
  3. 1CRM has a central, secured repository of product source code, which is accessible only to authorized Personnel.
  4. 1CRM has a formal application security program and employs a robust Secure Development Lifecycle (SDL).
  5. Security testing includes code review, penetration testing, and employing static code analysis tools on a periodic basis to identify flaws.
  6. All changes to software on the 1CRM Service are via a controlled, approved release mechanism within a formal change control program.
  7. All encryption and other cryptographic functionality used within the 1CRM Service uses industry standard encryption and cryptographic measures aligned with the standards promulgated with FIPS 140-2.

9. Availability

Objective: 

To ensure Customer Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Customer Data in the event of a service incident.

Measures: 

  1. Customers can configure their own regular backups to external servers under their control, via SSH or FTP. They may also choose to send backups to the Dropbox service.
  2. Each data center can be failed-over/back in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Customer Data against accidental destruction and loss.
  3. Each production data center has multiple power supplies, generators on-site and with battery back-up to safeguard power availability to the data center.
  4. Each production data center has multiple access points to the Internet to safeguard connectivity.
  5. Each production data center is monitored 24x7x365 for power, network, environmental and technical issues.
  6. 1CRM maintains a robust Business Continuity/Disaster Recovery program including
    • Well defined updated plans.
    • Regular Testing and retrospectives.

10. Data Separation

Objective: 

To ensure each Customer’s Data is processed separately.

Measures: 

  1. 1CRM uses a single-tenant architecture to ensure data segregation between customers.The data for each client is contained in a separate database, with zero chance of intermingling data from multiple clients.
  2. In each step of the processing, Customer Data received from different Customers is assigned a unique access URL so data is always logically separated.
  3. Customers only have access to their own Customer Data through the use of the unique URL and username/password or OAuth authentication.

11. Incident Management

Objective 

In the event of any security breach of Customer Data, the effect of the breach is minimized and the Customer is promptly informed.

Measures:

  1. 1CRM maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
  2. 1CRM regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan.
  3. In the event of a security breach, 1CRM will notify Customers without undue delay after becoming aware of the security breach.

12. Audit

Objective 

To ensure 1CRM regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures outlined above.

Measures include: 

  1. 1CRM conducts regular internal audits of its security practices.
  2. 1CRM ensures that Personnel are aware of and comply with the technical and organizational measures set forth in this document.
  3. 1CRM conducts at least semi-annual penetration tests of the 1CRM Service using external security experts.

Last update: May 17, 2018