‍

The Framework

The Alumio iPaaS is built using best-of-breed technology frameworks and secure software development practices. All fixes, new features, and enhancements will only be released after several rigorous tests and a severe testing and review process. Our testing program exists of automated code testing regarding code quality, as well as a manual testing where every code line is checked, and tested by 2 senior developers.
‍

Development

Security by Design

The Alumio engineers develop the core application based on the concept of ‘Security-by-Design’, where we specified and trained our engineers:

• Our Secure SDLC (Software Development Lifecycle) processes, includes documented security requirements, security design reviews, application security testing, and full penetration testing.
• Production and testing environments are completely separated from each other. Data of customers or other privacy sensitive information is never transferred to testing or developer testing environments
• Security tests are done after every release on the OWASP top 10. Extensive vulnerability and penetration testing are performed at least annually.
• Related bugs are always assigned the highest priority, and a root cause analysis is performed for all major bugs that make it into production. Every pull request to releasable work requires a code review where at least two other (senior) developers are added.
• The team working on the core of Alumio is very invested in secure practices and will be able to provide proper review and feedback on written code. We automate security tests with sensiolabs security checker.
• Developers are trained in secure coding practices
• We use of automated DevOps security tools as OWASP Zap and sensiolabs to test for security vulnerabilities throughout the development phase.

ISO or information security accreditations for development

Alumio prides itself on its commitment to safeguarding sensitive information. As a testament to this, Alumio has undergone a rigorous implementation process and achieved compliance with ISO 27001, an internationally recognized standard for information security management systems.

Regarding the hosting we rely on the ISO of Google Cloud services which can be read here: Google.

‍

Acces to the iPaaS

The Alumio access explained:

• Role Based Access Control (RBAC)
  Our employees have access based on user roles with the concept of least privilege, so no access is granted to a level that is not described as needed in the ‘role’.
  
  
• Remote access security
  Remote access is only possible after a 2FA required login procedure for the application access. For access to server this is arranged via Google SSO access.
  
  

• IP Whitelisting
  Both server as application access is only possible when the IP’s of the employees are available in our Whitelisting server.
  
  
• Vendor support access
  The vendor access is based on Google Cloud Security measures
  
  
• User tracking
  All user login actions are logged, like login IDs (username Fan ID), date/time of last login, location of login (eg: IP address), device identifier (eg: MAC address). The logs are pushed to a location with a special access requirement for a period of 8 weeks.
  
  
• Regular access reviews
  Alumio has a process in place, so regular access reviews will be held. These will notify managers of issues in offboarding, enabling Alumio to update our processes and remediate any changes necessary. Training and when to enlist others' help.‍‍

All Alumio employees are required to pass a background check. In addition to this, employees in engineering, services, support, and operations (basically anyone with access to anything deemed security sensitive) are required to use multifactor authentication, to store and generate all credentials used to perform job functions.

Engineering employees with access to production systems are also required to undergo varying levels of security training at least annually. All of our employees are always only granted access to the minimal number of applications or systems needed to perform their job function.

‍

‍

GDPR and other privacy legislation

Please consult the following pages:

• Privacy
• Security
  ‍‍

Data security standards

All communication from Alumio to the data center of google cloud uses a minimum SSL 256-bit encryption and occurs via HTTPS, port 443. Alumio ensures via its data mappings and transformer features, that privacy sensitive data has to be transferred without encryption.

Default settings:

• Data at rest:
  No encryption is applied, access to data in rest is limited to authorized users
  

• Data In transit:
  Secured depending on situation, usually by HTTPS, SSH tunneling, VPN, etc.

Data storage and processing

The Alumio iPaaS has three ways of storing data:

• Logging
• Transformation trail
• Storages
  

In some cases, the iPaaS stores or processes personal sensitive data as mentioned in DPA or GDPR. These types of data which are processed or stored are noted in the data routes. A report is available or can becreated before starting the mapping process.

Automated Communication of data

Alumio automatically transmits the following information to the Google cloud data center:

Online Status:

• The Alumio monitoring service knows in near real-time if the integration services  go offline.
  

Tracking Information:

• The Alumio iPaaS communicates file name and directory of the files processed as well as success/failure counts and process executions.
  

Integration Process Updates:

• The Alumio iPaaS periodically checks for and applies updates.

Email Notifications:

• The Alumio iPaaS sends health alerts as emails but never in the name of a client.

User-initiated communications of data

If requested by an authorized user, the iPaaS communicates the following to the Alumio data center:

Logging & Monitoring information
Information about the execution of an integration process, including total execution time, logging for each step of the process and execution-failure error messages.

API data or Tasks (named messages via routes = tasks) related logs are retained for 2 weeks. Server-related logs are retained 1 month. Both are configurable as needed.

Exporting logs:
Alumio offers the ability to provide export of server logs. Any authorized user is able to provide task related logs.

We backup the following offsite:

• Databases - daily for up to a week
• Codebase - indefinite‍

‍Error Details
A detailed error message explaining what error caused the failed execution of an integration process.‍

Connector Browsing
When building processes for specific connectors, database schema information can be transmitted to define field mapping rules. No actual data is transmitted.

On-premises data communication security

No inbound firewall ports need to be open for the Alumio iPaaS to communicate with the data center. The Alumio integration interface always initiates the connection; the data center Google Cloud Platform never pushes data automatically to the Alumio integration platform (or private hosted solution). When the Alumio integration features initiate a connection, it involves using an SSL handshake to authenticate the data center before transmitting data. Alumio uses the digital certificate automatically created during registration and authentication.

‍

‍