Signify V10 Security FAQs

Service Organisation Control Maturity

Question:

Yes. Awaiting certificate from BSI. External Audit completed 4 Dec 2024.

Link to SOA: F60_Statement of Applicability.xlsx

No

Hosting Environment Control Maturity

Question:

Yes, we host with Teraco in Isando and their ISO documentation is available on their website: Certifications and Compliance • Teraco

Please refer to Certifications and Compliance • Teraco

Penetration Test Report

Question:

Penetration tests on app, mobile and network is done once a year. OWASP principles are followed. Reports can be requested from Manco. File location (not open to all): Pen Test Results

Encryption of Data Over Private Networks

Question:

Yes, from 2025 we encrypt the data at rest within our SQL Server 2019 databases using SQLs always encrypted configuration with deterministic encryption. The encryption makes use of the AEAD_AES_256_CBC_HMAC_SHA_256 algorithm.

The system runs within a Kubernetes cluster where the nodes are protected behind an Istio load balancer. Due to the private setup the traffic between the nodes does not move over the private network of the hosting provided but internally within the cluster.

The data transferred from the client to the enclosed server is encrypted using SSL certificate. The client and server is encryption scope include the SSL handshake and secure communication between the client and server. The encryption use is PKCS #1 SHA-256 With RSA Encryption.

Identity, Entitlement, and Access Management

Question:

Yes, it can be configured. The password enforcement can be configured per client for the users accessing the system. One configuration is available that is share for all users administrators and general users

Yes, it can be configured. The password enforcement can be configured per client for the users accessing the system. One configuration is available that is share for all users administrators and general users

The password expiry days can be adjusted per client and is 60 days by default.

Yes, the maximum failed login attempts is 10 by default and can be customised per client

Yes, the number of password that can be used is customisable and 5 passwords by default

No, the default for the system is an access token lifetime of 100 minutes that is refreshed up to 5 times before the session expires. This is customisable per system.

Yes.

Yes

Yes

Yes

Yes, OpenID Connect

Logging/Tools

Question:

Yes, as part of the server deployment

Yes

Yes, stored actively for up to 6 month, after which it is retained in cold storage accessible on request

Yes, giving insight on who viewed user personal information and changed data

Yes, Fortigate Firewall is used for IPS and AV


Revision #13
Created 3 December 2024 11:09:42 by Nardus van Eyk
Updated 4 December 2024 11:44:49 by Nardus van Eyk