SECURITY AND SERVICE POLICY

Infrastructure

The infrastructure and associated security are provided by Microsoft. All data is hosted on Microsoft’s data centre located in the Netherlands. Azure cloud has comprehensive compliance coverage: ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. – for more information see https://azure.microsoft.com/en-us/overview/trusted-cloud/.

The hosting service is provided in a safe ’limited access’ environment. There is a continuous supply of power, climate control, and the data centre is protected against natural disasters. In the unlikely event that a situation occurs where it will be reasonable to question the data centre’s security the customer can request an independent 3rd party to examine the security systems at the customers’ cost if the customer compensates Cookie Information for all costs which Cookie Information may experience as a direct consequence hereof including costs to be paid to the data centre for access.

Access to the data centres’ infrastructure is decided in full by the data centre. Access to the data centre is limited to specific employees and selected production/support specialists who are only allowed access to perform planned maintenance and upgrades. Cookie Information reserves the right to change the data centre and/or other suppliers without obtaining prior consent from the customer, provided that the new data centre or new other supplier provides the Customer with at least the same service level and security as the current and provided that the new data centre is located within the EU.

Identity and access management

Cookie Information uses an effective implementation that includes configuration of administrative services, establishing and configuration of user identities, and implementation of service- and role-based access controls. Furthermore, we are monitoring, controlling and logging of both users and end-points.

Data security

Data at-rest is encrypted and decrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

The web-based application uses secure HTTP (TLS/HTTPS) to protect data transmissions over the internet.

Virtual Private Network (VPN) technology is used to protect other transmissions such as access to the active database.

Backup

Cookie Information provides web servers, application servers, database servers and physical storage in which data is kept in a redundant multi-drive configuration which gives mirrored storage and the required software to host the solution and associated services.

Additionally, all critical data is backed up daily to an encrypted, geo-redundant storage.

Availability

Cookie Information will provide the required infrastructure to ensure that the solution is available via the internet 99,5% of the time measured per month from the go-live date.

The service takes advantage of the wide opportunities in Azure to ensure high availability including full redundancy for all components and services, load balancing, automatic scaling of capacity, self-healing components, and a traffic manager to automatic geographic failover in case of an emergency at the data centre level.

All server, middleware and application components are being monitored 24/7 by Cookie Information.