Security Measures
Version 15.06.2023
This document summarizes the measures taken by Izix to ensure the security of our clients’ data.
Version 15.06.2023
This document summarizes the measures taken by Izix to ensure the security of our clients’ data.
Izix servers are hosted on AWS at SOC 2 Type II- and ISO 27001-compliant facilities located within the borders of the European Union. In addition, the data center facilities are powered by redundant power—each with UPS and backup generators. Furthermore, hosting providers have no access to customer data.
Our data center facilities are secured with a perimeter of multi-level security zones, 24/7 manned security, and CCTV video surveillance. In addition, they're secured via multifactor identification with biometric access control, physical locks, and security breach alarms.
An automatic monitoring system is in place to continuously check the state of the services, sending alerts to the appropriate personnel at Izix when necessary. Physical security, power, and internet connectivity are monitored by the facilities providers.
Our network is protected by redundant firewalls, secure HTTPS transport over public networks, regular audits, and Intrusion Detection Systems (IDS) which monitor and/or block malicious traffic and network attacks.
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones that are not accessible from the public internet. Data transferred between Izix servers use a private network.
In addition to our extensive internal scanning and testing program, penetration tests are performed on a yearly basis.
Access to the Izix production network is restricted by an explicit need-to-know basis, utilizing least privilege. It is audited and monitored frequently, and controlled by our Management Team. Employees accessing the Izix production servers are required to use multiple factors of authentication when supported.
In case of a system alert, events are escalated to our 24/7 teams. Employees are trained on security incident response processes, including communication channels and escalation paths.
Communications between you and Izix servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks.
The hard disks of all servers are encrypted.
Izix employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime ensures customer data is actively replicated across geographically distinct data centers.
Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished by building a robust technical environment and creating disaster recovery plans that are continuously updated and tested.
Engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Izix security controls.
Our dedicated QA engineers test all software developments using automated and manual tests before roll-out to production.
Testing and staging environments are separated both physically and logically from the production environment.
Patches and updates to systems occur as needed.
The source code repositories are continuously scanned for security issues via our integrated static analysis tool.
Application security is also part of the annual penetration tests conducted by third-party experts.
Izix offers authentication options including username-password, SSO via Oauth and SAML2.0. Aim is to make Izix compatible with most SSO portals. Api and remote system can also connect using OAuth 2.0.
When it comes to secure credential storage, Izix follows best practices: storing credentials in a password management system.
The Izix API is SSL-only. User must be a verified user to make API requests. API access and authentication are possible via OAuth 2.0 protocols.
Access to data within Izix is governed by access rights and can be configured to define granular access privileges. Izix has various permission levels for users (e.g. Admin, Reception, Security, Assistants, etc.).
All communications with Izix servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and Izix remains secure during transit.
Logical segmentation of customer data is enforced at code level.
Izix acts as a data processor in the context of the GDPR. This means that Izix does not own any user data and does not retain the right to use personal data for any other purpose than the service provided by the Izix application. Izix is only entitled to collect personal data in the strict context of the service. Users or admins can delete profiles at any point in time which will delete any personal data and anonymize any statistical data. You can read more about this topic in Izix DPA and Privacy Policy. Databases are purged of outdated personal data regularly.
Audit trails including time of change and user responsible for the change are in place on critical objects.
Izix carefully selects its third-party data subprocessors and reviews them regularly. All such processors are contractually bound by Izix to keep customer data confidential.
Izix takes the sensitivity of your personal data seriously. We strive to follow all recommendations and operational measures reasonably possible to be and remain in full GDPR compliance.
SecurityScorecard is an information security company that collects, attributes, and scores the overall health of enterprise cybersecurity through the identification of exposed vulnerabilities on corporate digital assets discovered on the public internet. Izix's score is A.
Our API and application endpoints are TLS/SSL-only. This means communications between you and Izix servers are encrypted via industry best practices: HTTPS and Transport Layer Security (TLS) over public networks.
Izix has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to all employees and contractors with access to Izix information assets.
Izix performs background checks on all new employees in accordance with local laws. Criminal background checks are a part of these employee background checks. All newly-hired employees are screened through the hiring process and required to sign Non-Disclosure and Confidentiality Agreements.