The Alumio iPaaS integrates data between all your software, cloud platforms, SaaS solutions, on-premise systems, and EDI connections. Our cloud-native platform is designed to ensures that your data remains safe and is never shown to unauthorized parties.
Hosting security &
An iPaaS that's built
secure by design.
Our standards regarding storing & handling data.
The Alumio Network & Infrastructure Security
Alumio supports all system integration processes – between Software-as-a-Service (SaaS) solutions, cloud apps, and on-premises systems. As a cloud-native integration platform, Alumio provides standard editions that operate in secure cloud environments that can be hosted in your local region within Amazon Web Services (AWS).
The Alumio "integration Platform as a Service (iPaaS)" runs on the Amazon Web Services infrastructure, which delivers hosting in several regions. To get a comprehensive overview of Amazon Web Services, please click here →
Alumio integrates with Elastic ELK stack, which contains Elasticsearch, Logstash and Kibana. Elastic has high standards regarding security & compliance to make sure the highest possible standards are attained. Review Elastic' security principles and security & compliance standards.
Amazon AWS is responsible for:
Alumio is responsible for:
- Configuration management
Elastic is responsible for:
- Logging via Elastic ELK stack (Elasticsearch, Logstash, Kibana)
An overview of certification of Alumio’s (privated) hosted solution:
- ISO 27001 | 27017 | 27018
- SOC 1 | 2 | 3
- MTCS (Singapore) Tier 3
- BSI C5 Basic
- CSA Star
- Spain Esquema Nacional de Seguridad (ENS)
During deployment, the data center verifies and authenticates all of its contents before activation. The Alumio platform and its features never sends data to the third party connected software, unless explicitly configured by the user.
The Alumio Information Security Management System (ISMS)
As we use Google Cloud hosting services, we can rely on Google’s Cloud security measures to handle theInformation Security Management System (ISMS), as you can read here on Google →
There are various policies in place to guarantee the above. The following policies are described in detail in our internal company Wiki, to which everyone, depending on their function and/or role, must adhere:
● Acceptable Use Policy
● Access Control Policy
● Bring Your Own Device (BYOD) Policy
● Business Continuity Strategy
● Chief Security Officer
● Confidentiality Statement
● Incident Management Procedure
● Information Classification Policy
● Information Security Policy
● Inventory of Assets
● ISMS Scope Document
● List of Authorized Persons
● List of Legal, Regulatory, Contractual and Other Requirements
● Mobile Device and Teleworking Policy
● Operating Procedures for Information and Communication Technology
● Password Policy
● Policy on the Use of Cryptographic Controls
● Procedures for Working in Secure Areas
● Risk Assessment and Risk Treatment Methodology
● Risk Assessment and Risk Treatment Report
● Secure Development Policy
● Security Management Team
● Specification of Information System Requirements
● Statement of Acceptance of ISMS documents
● Statement of Applicability
● Supplier Security Policy
● Training and Awareness Plan
Application & Platform Layer
The Alumio iPaaS is built using best-of-breed technology frameworks and secure software development practices. All fixes, new features, and enhancements will only be released after several rigorous tests and a severe testing and review process. Our testing program exists of automated code testing regarding code quality, as well as a manual testing where every code line is checked, and tested by 2 senior developers.
Security by Design
The Alumio engineers develop the core application based on the concept of ‘Security-by-Design’, where we specified and trained our engineers:
- Our Secure SDLC (Software Development Lifecycle) processes, includes documented security requirements, security design reviews, application security testing, and full penetration testing.
- Production and testing environments are completely separated from each other. Data of customers or other privacy sensitive information is never transferred to testing or developer testing environments
- Security tests are done after every release on the OWASP top 10. Extensive vulnerability and penetration testing are performed at least annually.
- Related bugs are always assigned the highest priority, and a root cause analysis is performed for all major bugs that make it into production. Every pull request to releasable work requires a code review where at least two other (senior) developers are added.
- The team working on the core of Alumio is very invested in secure practices and will be able to provide proper review and feedback on written code. We automate security tests with sensiolabs security checker.
- Developers are trained in secure coding practices
- We use of automated DevOps security tools as OWASP Zap and sensiolabs to test for security vulnerabilities throughout the development phase.
ISO or information security accreditations for development
Alumio prides itself on its commitment to safeguarding sensitive information. As a testament to this, Alumio has undergone a rigorous implementation process and achieved compliance with ISO 27001, an internationally recognized standard for information security management systems.
Regarding the hosting we rely on the ISO of Google Cloud services which can be read here: Google.
Acces to the iPaaS
The Alumio access explained:
- Role Based Access Control (RBAC)
Our employees have access based on user roles with the concept of least privilege, so no access is granted to a level that is not described as needed in the ‘role’.
- Remote access security
Remote access is only possible after a 2FA required login procedure for the application access. For access to server this is arranged via Google SSO access.
- IP Whitelisting
Both server as application access is only possible when the IP’s of the employees are available in our Whitelisting server.
- Vendor support access
The vendor access is based on Google Cloud Security measures
- User tracking
All user login actions are logged, like login IDs (username Fan ID), date/time of last login, location of login (eg: IP address), device identifier (eg: MAC address). The logs are pushed to a location with a special access requirement for a period of 8 weeks.
- Regular access reviews
Alumio has a process in place, so regular access reviews will be held. These will notify managers of issues in offboarding, enabling Alumio to update our processes and remediate any changes necessary. Training and when to enlist others' help.
All Alumio employees are required to pass a background check. In addition to this, employees in engineering, services, support, and operations (basically anyone with access to anything deemed security sensitive) are required to use multifactor authentication, to store and generate all credentials used to perform job functions.
Engineering employees with access to production systems are also required to undergo varying levels of security training at least annually. All of our employees are always only granted access to the minimal number of applications or systems needed to perform their job function.
Data Storages & Data Handling
GDPR and other privacy legislation
Please consult the following pages:
Data security standards
All communication from Alumio to the data center of google cloud uses a minimum SSL 256-bit encryption and occurs via HTTPS, port 443. Alumio ensures via its data mappings and transformer features, that privacy sensitive data has to be transferred without encryption.
- Data at rest:
No encryption is applied, access to data in rest is limited to authorized users
- Data In transit:
Secured depending on situation, usually by HTTPS, SSH tunneling, VPN, etc.
Data storage and processing
The Alumio iPaaS has three ways of storing data:
- Transformation trail
In some cases, the iPaaS stores or processes personal sensitive data as mentioned in DPA or GDPR. These types of data which are processed or stored are noted in the data routes. A report is available or can becreated before starting the mapping process.
Automated Communication of data
Alumio automatically transmits the following information to the Google cloud data center:
- The Alumio monitoring service knows in near real-time if the integration services go offline.
- The Alumio iPaaS communicates file name and directory of the files processed as well as success/failure counts and process executions.
Integration Process Updates:
- The Alumio iPaaS periodically checks for and applies updates.
- The Alumio iPaaS sends health alerts as emails but never in the name of a client.
User-initiated communications of data
If requested by an authorized user, the iPaaS communicates the following to the Alumio data center:
Logging & Monitoring information
Information about the execution of an integration process, including total execution time, logging for each step of the process and execution-failure error messages.
API data or Tasks (named messages via routes = tasks) related logs are retained for 2 weeks. Server-related logs are retained 1 month. Both are configurable as needed.
Alumio offers the ability to provide export of server logs. Any authorized user is able to provide task related logs.
We backup the following offsite:
- Databases - daily for up to a week
- Codebase - indefinite
A detailed error message explaining what error caused the failed execution of an integration process.
When building processes for specific connectors, database schema information can be transmitted to define field mapping rules. No actual data is transmitted.
On-premises data communication security
No inbound firewall ports need to be open for the Alumio iPaaS to communicate with the data center. The Alumio integration interface always initiates the connection; the data center Google Cloud Platform never pushes data automatically to the Alumio integration platform (or private hosted solution). When the Alumio integration features initiate a connection, it involves using an SSL handshake to authenticate the data center before transmitting data. Alumio uses the digital certificate automatically created during registration and authentication.