Organization Security
We have implemented an Information Security Management System (ISMS) that takes into account our security objectives, as well as the risks and their mitigation for all stakeholders. We make use of stringent policies and procedures that include the security, availability, processing, integrity, and confidentiality of customer data.
Background Checks on Employees and Collaborators
Every employee or collaborator is subjected to a background check process. We utilize reputable external agencies to carry out this check on our behalf. We do this to verify criminal records, past employment experiences if any, and educational qualifications. Until this check is conducted, the employee or collaborator is not assigned tasks that could pose risks to users.
Security Awareness
Every employee or associate, upon hiring, signs a confidentiality agreement and an acceptable use policy, after which they participate in training on information security, privacy, and compliance. Moreover, we assess the level of training of the employee or associate through tests and quizzes to determine which topics require further study. We provide training on specific aspects of security that an employee or associate may need based on their role. We continuously train our employees and associates in information security, privacy, and compliance within our internal community, which our employees and associates regularly access for ongoing personal updates on the organization's security practices. Additionally, we organize internal events to raise awareness and promote innovation in terms of security and privacy.
Dedicated Security and Privacy Teams
We have dedicated teams for security and privacy that implement and manage our security and privacy programs. These teams design and manage our defense systems, develop security review processes, and constantly monitor our networks to detect suspicious activities. They provide domain-specific consulting services and guidelines to our design teams.
Internal Audit and Compliance
We have a dedicated compliance team that reviews the procedures and policies adopted by Framework360 in order to align them with standards and determine what controls, processes, and systems are necessary to meet these standards. This team also conducts periodic internal audits and facilitates independent checks and assessments by third parties. For more details, please consult our compliance portfolio.
Endpoint Security
All workstations provided to employees and collaborators run an updated version of the operating system and are equipped with antivirus software. They are configured to comply with our security standards, which require that all workstations be properly set up, installed with applied patches, and monitored by Framework360's endpoint management solutions. These workstations are secure by default as they are configured to encrypt idle data, have complex passwords, and lock themselves if inactive. Mobile devices used for business purposes are registered in the mobile device management system to ensure they meet our security standards.
Physical Security in the Workplace
We control access to our resources (buildings, infrastructures, and facilities), which includes consumption, entry, and usage, through access cards. We provide different access cards to employees, contractors, suppliers, and visitors that allow entry only for specific facility entry purposes. The Human Resources team establishes and manages specific purposes for roles. We maintain access logs to identify and resolve anomalies.
Monitoring
We monitor all incoming and outgoing movements at all our locations, across all our business centers and data centers through closed-circuit cameras distributed in compliance with local regulations. A backup copy of the footage is available for a certain period of time, depending on the specific requirements of the facility.
Infrastructure Security Network Security
Our network security and monitoring techniques are designed to provide multiple levels of protection and defense. We use firewalls to prevent unauthorized access to our network and unwanted traffic. Our systems are divided into separate networks to protect sensitive data. The systems that support testing and development activities are hosted on a separate network from the systems that support Framework360's production infrastructure. We monitor firewall access through rigorous and regular scheduling. A network technician reviews all changes made to the firewall every day. In addition, these changes are analyzed every three months to update and review the rules. The dedicated team at our Network Operations Center monitors the infrastructure and applications for any discrepancies or suspicious activities. All critical parameters are constantly monitored via our proprietary tool, and notifications are triggered in any case of abnormal or suspicious activity in our production environment.
Network Redundancy
All components of our platform are redundant. We use a distributed network architecture to protect our system and services from possible server failures. In such cases, users can continue to work as usual because their data and the Framework360 services will still be available. Moreover, we use multiple switches, routers, and security gateways to ensure device-level redundancy. This way, single points of failure in the internal network are avoided.
DDoS Attack Prevention
We employ technologies from established and reliable service providers to prevent DDoS attacks on our servers. These technologies provide multiple DDoS attack mitigation functionalities to avoid disruptions caused by malicious traffic while allowing good traffic through. As a result, our websites, applications, and APIs remain always available and high-performing.
Advanced Server Protection
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image is equipped with integrated server hardening, and this OS image is provided on the servers to ensure consistency across servers.
Intrusion Detection and Prevention
Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals coming from monitoring points within our servers. Administrative access, the use of privileged commands, and system calls on all our production network servers are logged. Rules and machine intelligence based on these data provide security technicians with alerts of potential incidents. At the application level, we have our proprietary WAF that operates on whitelist and blacklist rules. At the Internet Service Provider (ISP) level, a multilayered security approach has been implemented with scrubbing, network routing, rate limiting, and filtering to counter attacks at all levels, from network to application. This system ensures clean traffic, reliable proxy service, and immediate reporting of any attacks.
Data Security Security by Design
All changes and new features are regulated by a change management policy, to ensure that all modifications to applications are authorized before deployment in the production environment. Our Software Development Life Cycle (SDLC) mandates compliance with secure coding guidelines, as well as screening code changes for potential security issues with our code analysis tools, vulnerability scanners, and manual review processes. Our robust security framework based on OWASP standards, implemented at the application level, provides functionalities to mitigate threats such as SQL injection, Cross-Site Scripting, and DOS attacks at the application level.
Data Isolation
Our framework distributes and maintains cloud space for our customers. The support data of each customer is logically separated from other customers' data using a series of secure protocols within the framework. This ensures that none of the support-related data will be accessible to another customer. Support-related data is stored on our servers when you use our services. Your data is your property and not that of Marketing Studio. We do not share this data with third parties without your consent.
Cryptography In transit: all customer data transmitted to our servers over public networks are protected by stringent encryption protocols. We enforce the use of Transport Layer Security (TLS 1.2/1.3) encryption with complex encryption keys for all connections to our servers, including web access, API access, mobile app access, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing authentication of both parties involved in the connection and the encryption of data to be transferred. Moreover, for email, our services use opportunistic TLS by default. TLS encrypts and securely delivers emails, reducing interception between mail servers where peer services support this protocol. We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which assures us that even in case of future compromise, no previous communications would be decrypted. We have enabled the HTTP Strict Transport Security (HSTS) header on all our web connections. This instructs all modern browsers to connect to us only via an encrypted connection, even if an unsecured page URL is entered on our site. Furthermore, on the web, all our authentication cookies are marked as secure.
At Rest: Customers' inactive sensitive data is encrypted using Advanced Encryption Standard (AES) with 256-bit encryption. The encrypted data at rest varies depending on the services you choose. We own and manage the keys through our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys with master keys. Both master keys and data encryption keys are physically separated and stored on different servers with limited access.
Data Retention and Disposal
We retain data in your Framework360 account for the duration that you choose to use Framework360. After you close your Framework360 user account, your data will be deleted from the active database during the next cleanup, which occurs once every 6 months. Data deleted from the active database will be removed from backups after 1 month. A verified and authorized provider carries out the disposal of unusable devices. Until then, we will classify them and store them in a secure location. Any information contained within the devices is wiped before disposal.
Vulnerability Management
We have a dedicated process for vulnerability management, which conducts active scanning for security threats using a combination of certified third-party scanning tools and internal tools, with automated activities and manual penetration testing execution. Additionally, our security team actively reviews incoming security reports and monitors public mailing lists, blog posts, and wikis to identify security incidents that could impact the corporate infrastructure. In the event a vulnerability is identified that needs to be addressed, it is logged and assigned a priority based on severity and an owner. We further identify associated risks and monitor the vulnerability until its resolution, applying patches to vulnerable systems or relevant controls.
Protection from Malware and Spam
We scan all user files with our automated scanning system, designed to prevent the spread of malware within the Framework360 ecosystem. Our custom anti-malware engine receives periodic updates from external threat intelligence sources and scans files for blacklisted signatures and dangerous patterns. Moreover, our proprietary detection engine, in combination with machine learning techniques, ensures the protection of customer data against malware. Framework360 supports the DMARC protocol (Domain-based Message Authentication, Reporting, and Conformance) as a method to combat spam. DMARC utilizes SPF and DKIM to verify that messages are authentic. We also use our proprietary detection engine to identify misuse of Framework360 services, such as phishing activities and spam. Additionally, we have a dedicated anti-spam team for monitoring signals from the software and managing abuse complaints.
Backup
We perform daily incremental backups and weekly full backups of our databases for the Framework360 data centers (DC). Backup data in the DC is stored in the same location and encrypted using 256-bit AES algorithm. Data is archived in tar.gz format. All backup data is retained for 1 month. If a customer requests data restoration within the retention period, we will restore the data and make it available with secure access. The timing for data restoration depends on the size and complexity of the data itself. To ensure the security of backup data, a redundant array of independent disks (RAID) is used in the backup servers. All backups are scheduled and monitored regularly. In case of failure, a new execution is initiated, and the issue is immediately resolved. We strongly recommend planning regular backups of your data by exporting it from the respective Framework360 services and storing it locally within your own infrastructure.
Emergency Recovery and Service Continuity
Application data is stored on a resilient storage system that is replicated across data centers. Data in the primary DC is replicated to the secondary one almost in real-time. In case of failure of the primary DC, the secondary takes over and operations are carried out smoothly, with minimal or no time loss. Both centers are equipped with multiple ISPs. We have power backup systems, temperature control, and fire prevention measures, as well as physical safeguards to ensure business continuity. These measures help us guarantee resilience. In addition to data redundancy, we have a business continuity plan for our core operations such as support and infrastructure management.
Incident Management Reporting
We have a dedicated team for incident management. We inform you about incidents in our environment that affect you, indicating actions you might need to take. We monitor and resolve incidents with appropriate corrective actions. If applicable, we commit to identifying, collecting, acquiring, and providing the necessary evidence in the form of application logs and checks for incidents that concern you. Furthermore, we implement controls to prevent similar situations from recurring. We respond with the highest priority to security or privacy incidents reported by users at assistenza@marketingstudio.it. In case of generic incidents, we will notify users through our blogs, forums, and social media channels. For specific incidents involving an individual user or organization, we will notify the concerned party via email (using their main email address or the organization's administrator email registered on our system).
Data Breach Notification
As data controllers, we notify the competent data protection authority of a breach within 72 hours of its detection, in accordance with the General Data Protection Regulation (GDPR). Depending on specific requirements, we also inform customers if necessary. As data processors, we inform the concerned data controllers without undue delay.
Management of Suppliers and Third-Party Providers
We evaluate and qualify our suppliers according to our supplier management policy. We integrate new suppliers after understanding their service delivery processes and performing risk assessments. We take appropriate measures to ensure the maintenance of our security posture by establishing agreements that require suppliers to comply with confidentiality, availability, and integrity commitments we have made to our customers. We monitor the actual functioning of organizational processes and security measures by conducting periodic reviews of controls.
Customer Security Controls
So far, we have described what we do to ensure our customers' safety across various fronts. Below are the things you can do as a customer to ensure security:
- Choose a unique complex password and protect it.
- Use multi-factor authentication.
- Utilize the latest versions of browsers and mobile operating systems and updated mobile apps, to ensure that patches for protection against vulnerabilities are applied and the most recent security features are used.
- Take reasonable precautions when sharing data from our cloud environment.
- Classify your information as personal or sensitive data and label them accordingly.
- Monitor devices connected to your account, active web sessions, and third-party access to detect anomalies in your account activities and manage corresponding roles and privileges.
Conclusion
The security of your data is your right and an endless mission for Marketing Studio. We will continue to work hard to keep your data safe, as we have always done. For further questions on this topic, please write to us at assistenza@marketingstudio.it.
