Syndic8 takes the security of our application, data, and staff seriously. Some of our policies, procedures, and standards are highlighted in this document to demonstrate the minimum standards to which our company adheres.
Company & Staff Security
Physical Access Controls
Access to all Syndic8 offices require a combination of physical keys and digital keys (keycards). Our buildings are secured by turnstile with 24/7 security staff, as well as extensive video surveillance systems.
Staff laptops are provisioned and controlled using MDM (Mobile Device Management) software – this allows us to ensure that hardware with access to our sensitive applications and data meet a minimum quality standard. For instance, we use digital policies and profiles to ensure that staff laptops are encrypted, password protected, updated regularly, and protected with antivirus software.
Our staff sign non-disclosure agreements and are subjected to background checks, where permitted by applicable law. We employ the concept of least-privilege to ensure that individuals and teams are provided with the minimum amount of access required to facilitate their work.
Credential Generation, Storage & Sharing
All generation, distribution and storage of credentials is done using a secure, 3rd-party password management application. This allows Syndic8 to manage access to credentials on a user and group basis, as well as revoke entire accounts if necessary. Company-wide use of password manages also reduces the likelihood of staff falling victim to e.g. a phishing scam or malicious website. Where possible, Syndic8 enables and requires 2FA (2-Factor Authentication), within applications that the company uses.
Syndic8 maintains and reviews security policies, procedures, and permissions on a scheduled basis. These internal audits help ensure that teams and individuals are not supplied with permission or data access beyond what is necessary to perform their job. This also ensures that temporary credentials are revoked when no longer needed.
Our email servers support STARTTLS for both inbound and outbound email. If your mail service provider supports TLS, your email will be encrypted in transit, both to and from the Syndic8 service. Our mail service is also enabled with anti-phishing, anti-malware, and anti-spam filters.
Encryption of Data in Transit
Syndic8 services are hosted using servers that require HTTPS and modern cryptographic ciphers and hashes in order to connect – this ensures that data are encrypted in transit between an end-user’s browser and the Syndic8 Service.
Encryption of Data at Rest
Syndic8’s databases are encrypted using strong symmetric encryption, and the keys are managed by our cloud service providers. Physical hardware disks and other storage devices, such as object-based storage are also encrypted.
Syndic8 relies on a number of cloud service providers to manage the physical hardware (e.g. servers) on which Syndic8 services are hosted. Syndic8’s major cloud service providers are (at the time of this writing) certified according to SSAE 16 Type II SOC 1 or higher standards. These certifications ensure a high level of security in the cloud provider’s datacenters.
Critical services in the Syndic8 infrastructure are protected with a Web Application Firewall (WAF), which also (where applicable) restricts access to requests from whitelisted IP addresses. Syndic8 uses a VPN to control traffic into these resources.
Application Authentication & Authorization
Syndic8 uses a 3rd-party service to authenticate all users of the service, as well as to authorize the various operations that they can perform. This structure gives Syndic8 very granular control over user access, and allows us to revoke such access across multiple systems in one place, if necessary.
The Syndic8 service performs server-side logging of client interactions with our services. This includes web server access logging, as well as activity logging for actions taken through our API. Our application also audits modification of data with user and time information.
Syndic8’s databases are backed up on a regular schedule using managed services, and are encrypted.
Syndic8 enforces maker-checker policies on major code repositories, which ensures that code must be reviewed by someone other than the author before being merged into our software pipeline. Code also progresses through multiple environments in our pipeline (e.g. automated testing, manual testing, staging) before being promoted into a production environment.
Syndic8 contracts with an external company to administer an ongoing bug bounty program. This program allows a variety of security researchers to access Syndic8 and test the application for security, as well as report any potential vulnerabilities.