All data is hosted on servers in facilities that have ISO 27001 certification. Your data is physically and logically separated from that of other customers. All data centers have redundant power supplies (UPS and backup generator).
The data centers feature security zones, around-the-clock security staff, outdoor video surveillance, individual identification through electronic access control and alarm systems.
All systems, connected devices and circuits within the production network are continuously monitored by Flexperto. Physical security and power supply are monitored by the provider of the respective facility.
Flexperto and our sub-service providers use data centers in Germany or other countries within Europe. Co-browsing can be offered entirely within German data centers. In exceptional cases, for certain functionalities such as Omni-Channel-Messaging via Consumer Messaging, service providers outside Europe are also used.
Our network is protected by firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and network intrusion detection and/or prevention technologies (IDS/IPS) that monitor and block malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. More sensitive systems, such as database servers, are located in the most trusted zone. Other systems are located in zones appropriate to their sensitivity depending on their function, information classification and risk. Depending on the zone, additional security monitoring and access controls are used. DMZs are used between the internet and internally between the different trust zones.
The most important entry and exit points for application data flows are monitored by Web application firewalls. The systems are configured to trigger alerts when incidents and values exceed specified thresholds and use regularly updated signatures based on new threats. This includes around-the-clock system monitoring.
Flexperto participates in several Threat-Intelligence-Programmes. We monitor our systems for threats reported in these threat intelligence networks and take action based on our risks and level of exposure.
Access to the Flexperto Production Network is explicitly based on the need-to-know principle and the principle of least privilege, and is constantly monitored. Several authentication factors are required to access the Flexperto Production Network.
Communication between you and Flexperto servers is encrypted using HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for e-mail encryption.
All Flexperto customers benefit from data-at-rest encryption protection for offsite storage of attachments and complete daily backups.
Flexperto is using the following TLS cyphers:
Feel free to check them here:
Flexperto manages a publicly accessible system status website, which contains details on system availability and the history of service operations.
Flexperto uses service clustering and network redundancies to avoid individual sources of error. Our strict backup strategy ensures that service data is actively replicated in primary and secondary systems and facilities. Our co-location databases are stored on state-of-the-art storage units with multiple servers per database cluster.
Our Disaster Recovery (DR) program ensures that our services remain available or can be easily restored in the event of a disaster. This is achieved by creating a robust technical environment, as well as disaster recovery plans and testing.
Flexperto uses a 3-generation backup policy that includes up to 3 copies of important files. Backups are created and restored via a dedicated network interface so as not to interfere with production-related data traffic.
Our development is based on third-party packages that are actively and automatically checked for security holes and vulnerabilities. The framework used in our platform has inherent controls to reduce exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) and SQL Injections (SQLi), including a focus on OWASP Top 10.
No source code becomes part of the code base unless it is reviewed and approved by at least two other engineers. This ensures very high code quality and allows errors to be detected at a very early stage of the application integration process.
Our highly skilled QA department reviews, tests, identifies and fixes security vulnerabilities in our developer-tested code and application.
A large part of the services of the Flexperto platform is completely covered by component tests.
Test and staging environments are physically and logically separated from the production environment. No valid service data is used in the development or test environments.
We use a number of tools to ensure code quality and dynamically analyze the code to meet our coding standards and rules.
We use a number of qualified third-party security tools to continuously scan our platform for security vulnerabilities
The source code repositories of our platform are continuously being checked for security issues by our integrated static analysis tool.
The Flexperto platform provides a simple mechanism for password authentication. Single Sign-On (SSO) with SAML for secure and easy integration with your service provider (Facebook, Twitter, Google, etc.) is also possible.
With Single Sign-On (SSO), you can authenticate users in your own systems without having to enter additional login information for your Flexperto instance. SAML (Security Assertion Markup Language) is supported.
The Flexperto platform provides user-defined password rules for users. Only administrators can change the password security level. Minimum length, letters, numbers and special characters are some of the applicable rules.
Flexperto follows best practices for storing secure credentials by never storing passwords in a human readable format and only as a result of a secure, salted one-way hash. For password and token hashing, we use Salted SHA256 hashes.