Guide
Security, Data Privacy & Data Management Best Practices
Learn best practices to keep customer data safe and secure while maintaining compliance.
Read more
At Annex Cloud, our top priority is keeping our customers’ data secure. We employ rigorous security measures at the organizational, architectural and operational levels to ensure our customers’ data, applications and infrastructure remain safe.
Responsible disclosure
New security issues and attack vectors emerge every day. Annex Cloud strives to stay proactive and keep abreast of the latest developments by working with security researchers, our peers and our customers. We appreciate the community’s efforts in creating a more secure ecosystem for all.
lease note: Please report any security vulnerabilities to security@annexcloud.com or Contact Us. We ask that you do not share or publicize any vulnerabilities submitted or directly through the bug bounty program platform.
Organizational security
All employees receive security, privacy, and compliance training the moment they start. Though the extent of involvement may vary by role, security is everybody’s responsibility at Annex Cloud. This commitment to security extends to our executives. Our security programs drive executive alignment across our organization and ensure that security awareness and initiatives permeate throughout our organization.
Architectural security
Data encryption
Annex Cloud uses the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits to keep the data secure at rest. Secure Sockets Layer (SSL) / Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering or message forgery. Annex Cloud encrypts file-based integrations using either PGP or a public/private key pair generated by Annex Cloud, based on a customer-generated certificate. The Annex Cloud API and REST API integrations support JWT token authentication.
Logical security
Annex Cloud enforces role-based security access, supporting both SAML for single sign-on and native login options.
Single-sign-on support
SAML allows for a seamless, single-sign-on experience between the customer’s internal web portal and Annex Cloud. After logging in to their company’s internal web portal with their enterprise username and password, customers automatically receive access to Annex Cloud through a provided link, eliminating the need for a separate login. Annex Cloud also supports Azure SSO, Ping Identity and any SAML2.0 compliant SSO and identity management service.
Annex Cloud native login
For customers who wish to use our native login, Annex Cloud only stores our Annex Cloud password in the form of a secure hash as opposed to the password itself. Annex Cloud logs all login attempts, successful or unsuccessful, alongside logout activity, for audit purposes. Customers can configure the time after which inactive user sessions automatically time out. Customer configurable password rules include length, complexity, expiration and forgotten password challenge questions.
Operational security
Annex Cloud security access is role-based, supporting SAML for single sign-on, and native Annex Cloud login.
Physical security
Annex Cloud actively hosts its applications in state-of-the-art cloud centers specifically designed to protect mission-critical computer systems. These centers utilize fully redundant subsystems and compartmentalized security zones for enhanced protection.
Annex Cloud actively manages and hosts its platform across multiple regions around the world in a cloud environment. These cloud platforms handle physical and infrastructure using top-notch security and compliance standards. They’re designed with no single point of infrastructure failure.
The compliance standards our cloud provider meets include:
- ISO 27001 & ISO 27018
- SOC1, SOC2, SOC3
- FedRAMP
- HITRUST
Production resources containing customer data are only accessible by authorized Annex Cloud personnel, no wireless networks are used in production, and the production networks require multi-factor VPN for all administrative access.
Network security
Annex Cloud has established detailed operating policies, procedures and processes designed to help manage the overall quality and integrity of the Annex Cloud environment. We’ve also implemented proactive security procedures, such as perimeter defense and network intrusion prevention systems (IPSs) using SIEM vendors.
Network IPSs monitor critical network segments for atypical network patterns in the customer environment as well as traffic between tiers and service.
We also maintain a global Security Operations Center 24/7/365.
- Server security includes vulnerability testing, virus scans, File Integrity Monitoring
- SIEM in place for continuous logging
- SOC team in place for continuous monitoring
- Incident response processes in place
Application security
Annex Cloud has implemented an enterprise Secure Software Development Life Cycle (SSDLC) to help ensure the continued security of Annex Cloud applications.
This program includes an in-depth risk assessment and review of Annex Cloud features. In addition, both static and dynamic source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
- Application security is a core focus—A full S-SDLC process is in place with SAST and DAST
- Regular manual penetration testing for all endpoints
- Web Application Firewall (WAF) with the latest modsec and OWASP rules
Role-based access control
Role-based access control (RBAC) limits access to data stored in the cloud based on the roles of users within a company. RBAC provides employees with access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them. An employee’s role in an organization determines the permissions that an individual is granted and ensures that lower-level employees can’t access sensitive information or perform high-level tasks. In the role-based access control data model, roles are based on several factors, including authorization responsibility and job competency. As such, companies can designate whether a user is an end user, an administrator or a specialist user. In addition, access to SaaS software can be limited to specific tasks, such as the ability to view, create or modify data.
There are several benefits to using RBAC to restrict unnecessary access based on people’s roles within an organization, including:
- Improving operational efficiency
- Enhancing compliance
- Giving administrators increased visibility
- Decreasing the risk of breaches and data leakage
Vulnerability assessments
Annex Cloud contracts with third-party expert firms to conduct independent internal and external network, system and application vulnerability assessments.
Application
We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our applications. The firm performs testing to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:
- Weaknesses associated with Flash, Flex, AJAX and ActionScript
- Cross-site request forgery (CSRF)
- Improper input handling (such as cross-site scripting, SQL injection, XML injection and cross-site flashing)
- XML and SOAP attacks
- Weak-session management
- Data validation flaws and data model constraint inconsistencies
- Insufficient authentication or authorization
- HTTP response splitting
- Misuse of SSL/TLS
- Use of unsafe HTTP methods
- Misuse of cryptography
Network
External vulnerability assessments scan all internet-facing assets, including firewalls, routers and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, an authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.
