Security

How Secure is your data?

At SyncEzy, we take security very seriously – just ask the hundreds of companies that trust us with their integration processes. The highest information security and privacy standards are part of our product and our company’s integrity:

1. Compliance Certifications and Memberships:

We use best practices and industry standards to comply with industry-accepted general security and privacy frameworks, helping our customers meet their compliance standards.

2. Integrating with best security standards practices in the industry:

SyncEzy constantly invests in protecting your data. We put security measures and maintain policies and procedures in place to comply with required data security standards. We continue to take all the measures needed to improve our information security level. SyncEzy is SOC2 Type 2 certified.

3. Complete control over role-based segregated data:

We only access your data for the explicit purpose of providing support to your users. We consciously limit the amount of data stored by SyncEzy to the bare minimum that is required to provide the integration service. Depending on integrations this is done by storing just IDs of records and the metadata instead of actual files and content, stripping PII information from employee tables, and storing just IDs and names and other such means..

4. Information We Collect

SyncEzy will not sell or rent to any third party any of the personal information or data that you provide to us. SyncEzy uses the Personal Data you provide in a manner that is consistent with this Privacy Policy. If you provide Personal Data for a certain reason, we may use the Personal Data in connection with the reason for which it was provided. For instance, if you contact us by email, we will use the Personal Data you provide to answer your question or resolve your problem. Also, if you provide Personal Data in order to obtain access to the SyncEzy Services, we will use your Personal Data to provide you with access to such services and to monitor your use of such services. SyncEzy and its subsidiaries and affiliates (the “SyncEzy Related Companies”) may also use your Personal Data and other personally non-identifiable information collected through the Services to help us improve the content and functionality of the Services, to better understand our users and to improve the SyncEzy Services. SyncEzy and its affiliates may use this information to contact you in the future to tell you about services we believe will be of interest to you. If we do so, each communication we send you will contain instructions permitting you to “opt-out” of receiving future communications. In addition, if at any time you wish not to receive any future communications or you wish to have your name deleted from our mailing lists, please contact us as indicated below.

If SyncEzy intends on using any Personal Data in any manner that is not consistent with this Privacy Policy, you will be informed of such anticipated use prior to or at the time at which the Personal Data is collected.

Google OAuth Data: We use the user’s email address and google id for authentication purposes and the user’s full name to map the user’s profile & display it on the user’s account on our website.We may use the user’s email address without further consent for non-marketing or administrative purposes (such as notifying you of major system updates, customer service needs, or items for which you have requested communication).

What is SyncEzy doing to meet security standards?

As a SaaS company, we work tirelessly to meet the ideal security standards to protect our customers from security vulnerabilities.

Security compliance

• SOC 2 Type I We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and subject to a signed NDA.
• Industry Best Practices We build integrations to industry best practice

What kind of certificates and resources are available to me?

Our certificates and resources are available upon request. Some of these assets may require an NDA. All options are below:

Resources subject to an NDA

• SOC 2 Type II Report
• Penetration Test Summary

Who can access my data?

We should look at two types of parties that can get access to your data:

You and your staff – your staff will have access to the data per data access credentials that you will provide them. You can control who can view, edit, upload and download any information or document based on his/her role credentials. This is managed from within the SyncEzy portal. We have options to sign on using Google or Microsoft.

A very limited number of periodically trained authorized senior SyncEzy personnel (Development Teams) can gain access to your data. This is only done on an as needed basis based on your support requests. Any SyncEzy team member doing so has signed all the relevant contracts, NDAs and is bound to restrict access only for support purposes.

Is my data backed up?

Our data centers backup all the integration data in our platforms between hourly and at least once a day. The data is fully restorable for disaster recovery purposes. However, we recommend periodically backing up your data in your individual applications.

Why, Where and how is my data stored and secured?

Our data centers backup all the integration data in our platforms between hourly and at least once a day. The data is fully restorable for disaster recovery purposes. However, we recommend periodically backing up your data in your individual applications.

1. Facilities

SyncEzy hosts data and compute primarily in AWS data centres that have been certified as SOC 2 compliant. Learn more about compliance at AWS.

AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and, ultimately, your data. Learn more about Data Center Controls at AWS.

2. On-Site Security

AWS on-site security includes several features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about AWS physical security.

3. Data Hosting Location

SyncEzy uses AWS data centres in Australia (Sydney main) and Australia/Melbourne & Singapore (backup).

All customer data stored in our integration platform is deleted 30 Days after the integration has been cancelled.

What type of network security do you have?

SyncEzy protects your data with a secure network and other multiple security protection and technology measures, including:

1. Dedicated Security Team

Our globally distributed security team is on call 24/7 to respond to security alerts and events.

2. Protection

Our network is protected using key AWS security services, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

3. Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones.

4. Network Vulnerability Scanning

Network security scanning gives us deep insight so we can quickly identify out-of-compliance or potentially vulnerable systems.

5. Third-Party Penetration Tests

In addition to our extensive continuous internal vulnerability scanning and testing program done each year. SyncEzy works with third-party security platforms to perform a broad penetration test across the SyncEzy production and corporate networks.

6. Security Incident Event Management

Our Security Incident Event Management (SIEM) system gathers extensive logs from essential network devices and host systems. The SIEM alerts on triggers that notify the security team based on correlated events for investigation and response.

7. Intrusion Detection and Prevention

The SyncEzy application ingress and egress points are instrumented and monitored to detect anomalous behaviour. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

8. Threat Intelligence Program

SyncEzy participates in many threat intelligence-sharing programs. We monitor threats posted to these networks and act based on risk.

9. Logical Access

Access to the SyncEzy production network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Technical  Team. Employees accessing the SyncEzy production network are required to use multiple factors of authentication and use enterprise Single Sign On.

10. Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing operations, network engineering, and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Tell me about encryption

1. Encryption in Transit

All communications with SyncEzy UI and APIs are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and SyncEzy is secure during transit.

2. Encryption at Rest

SyncEzy databases, compute and storage are encrypted at rest in AWS using AES-256 key encryption. In general, our data encryption has two layers:

• DB at rest – based on RDS data encryption using KMS AES256
• Application layer – all financial and salary data is encrypted using KMS AES256

Only a select few people have access to the database and the KMS for maintenance purposes and, of course, are bound by extreme legal and security safeguards (such as confidentiality and non-disclosure provisions, permission management, etc.).

Do you provide availability and continuity?

1. Disaster Recovery

Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing activities. Our DR location is AWS Singapore

How do you protect the SyncEzy application?

Secure Code Training (SDLC)

1.Secure Code Training

Annually, engineers participate in secure code training covering OWASP’s top 10 security risks, common attack vectors, and SyncEzy security controls.

2. Framework Security Controls

SyncEzy leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP’s top 10 security risks. These inherent controls reduce the exposure to SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), among others.

3. Separate Environments

Testing and staging environments are logically separated from the production environment. No customer data is used in our development or test environments.

4. Vulnerability Management Dynamic Vulnerability Scanning

We employ third-party security tooling to continuously scan our core applications against the OWASP’s top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

5. Static Code Analysis

The source code repositories for our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.

6. Third-Party Penetration Testing

In addition to our extensive internal scanning and testing program, SyncEzy employs third-party security experts to perform detailed penetration tests on different applications within our family of products.

What other security measures do you have in place?

Here are some of the additional security measures we use:

1. Authentication Options

Customers can enable native SyncEzy authentication and/or Federated SSO for end-user authentication.

2. 2-Factor Authentication (2FA)

SyncEzy recommends integrating with enterprise SSO 2-factor (2FA) authentication.

3. Role-Based Access Controls

Access to data within SyncEzy applications is governed by role-based access control (RBAC) and can be configured by the SyncEzy Portal user admin to define granular access privileges as needed.

Security Awareness

1. Policies

SyncEzy has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to SyncEzy information assets.

2. Training

All employees attend security awareness training sessions which are given upon hiring and annually after that. All engineers receive additional sessions for secure code training. The security team provides further security awareness updates via email, blog posts, and presentations during internal events.

What do you do about employee vetting?

1. Reference Checks

SyncEzy performs reference checks on all new employees per local laws.

2. Identity Checks

SyncEzy performs pre-onboarding and identity checks and stores relevant documentation on all employees per local laws.

3. Confidentiality Agreements

All new hires and contractors are required to sign Non-Disclosure and Confidentiality Agreements.

4. Conclusion

Security of your data is your right and a never-ending mission of SyncEzy. We will continue to work hard to keep your data secure, like we always have. For any further queries on this topic, take a look at out FAQs or write to us at it[email protected].