Information Security

We take information security very seriously. For that reason, we process and handle data from only the best and most secure datacenters available – read more below. Furthermore, we encourage you to visit our page dedicated to how ActionPlanner complies with the GDPR.

 

---

 

Physical security

Hosting facilities comply with the highest security standards such as SOC 2, SOC 3 and ISO27001.

 

Access management and security

All network transport is secured with SSL (HTTPS protocol).
User passwords are hashed using SHA1 and stored securely in the database. Furthermore, it is possible to enable Single Sign On (SSO) and limit users only to be available to login from certain IPaddress-ranges or certain IP-addresses.

 

Technical and organizational safeguards

The Client exclusively decides which users to grant access to ActionPlanner and who see all activities, some activities or has no access at all. The Client also decides what role to give users. Based on this input users get no, partial or full access to the processed data and/or personal data.

 

Server vulnerability scans

ActionPlanner’s servers are regularly tested with vulnerability scans. The test includes a full TCP and UDP port scan to identify available services on our servers. Each service is tested for information leaks, configuration errors and potential vulnerabilities. The vulnerability database contains the collective experience gained from testing thousands of networks, using both public security advisories and their own research. It is continually updated, with over 250 new classes of vulnerability added each year. Currently the database contains over 6200 vulnerabilities. If the scanning reveals vulnerabilities, action is immediately taken to e.g. reconfigure or upgrade services on the server.

 

Application vulnerability scans and source code reviews

The ActionPlanner application is also tested. This test includes a full scan of the ActionPlanner system to identify vulnerabilities, information leaks and potential cross site script vulnerabilities. This scan detects over 3000 types of vulnerabilities.
ActionPlanner even performs source code reviews to identify potential risk areas and security flaws. If either of these scans or reviews reveal vulnerabilities, action is immediately taken to e.g. reconfigure or upgrade services on the server or changing the source code.

 

Internal and external manual security penetration tests

Our internal security testing team performs an extensive review of the entire system, taking on the guise of hackers as a red team, trying to pre-emptively identify flaws in the ActionPlanner systems. On a regular basis, an external organization performs a thorough penetration test of ActionPlanner which includes testing of both the ActionPlanner application as well as the systems it runs on.

 

External information security audit

ActionPlanner is audited by a third party and certified IT auditor on a regular basis.

 

Data Flow & Backup

We make daily and weekly server image backups of the production server. These are securely hosted in a storage. All traffic between our servers and the storage uses SSL to establish a secure, encrypted channel. Below is a diagram illustrating the data flow:

 

Data sent by an ActionPlanner end-user is saved on the production server and data requested by the end-user is sent from the production server. All hard drives are RAID mirrored. All data except uploaded files is immediately replicated on the
backup server in a second data center. All data except uploaded files is additionally replicated with 1-hour delay on the backup server. All data is backed up daily with a 7-day retention and weekly with a 1-month retention in the Evault Backup. All traffic between data centers is done through a private network, making data transfers faster, efficient and more secure.

 

Availability

Network performance and security is monitored 24×7.
Automated DDoS mitigation controls are in place should a DDoS attack occur. Comprehensive Client data backup procedure is in place (see more above) in case of emergency.

 

Integrity

• ActionPlanner logs system activities, application processes and user activities.
• All initiatives have an audit trail.
• Data can be checked against backups.
• System integrity is checked by Intel TXT. Intel TXT ensures each resource added has been verified and checked for integrity against server hardware components such as BIOS, firmware and hypervisor software.

 

Data retention and deletion

Client data is irretrievably deleted after 90 days of the license expiry.

 

Frequently Asked Questions

In case of questions, feel free to reach out to the ActionPlanner Team.