Cloud Security and Privacy Policy

We know that security and privacy are a major concern for businesses today.

That is why at ServiceTonic we take this issue very seriously, implementing a security system based on different layers to offer the maximum security and privacy guarantees in our Cloud service to our customers, offering a historical availability greater than 99.95%.


How do we secure your data?

Our technical infrastructure is hosted at ISO 27001 certified data centers from Azure and Hetzner both employing leading physical, logical and environmental security measures, resulting in highly resilient infrastructure. For more information about their data centers see below:

https://azure.microsoft.com/en-us/global-infrastructure/

https://www.hetzner.com/unternehmen/rechenzentrum/


Application Security

ServiceTonic implements a security-oriented design in multiple layers, one of which is the application layer. 

The application is developed taking security into consideration since its design and throug all the development processes including static code analysis, vulnerability assessment, end-to-end testing, and unit testing which addresses authorization aspects, and more. ServiceTonic developers go through periodic security training to keep them up-to-date with secure development best practices.


Infrastructure Security

Another layer of security is the infrastructure. As stated, ServiceTonic cloud infrastructure is hosted at highly resilient data centers from Azure and Hetzner. Furthermore, our infrastructure is protected using multiple layers of defense mechanisms, including:

  • Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources
  • A web application firewall (WAF) for content-based dynamic attack blocking
  • DDoS mitigation and rate-limiting
  • NIDS sensors for early attack detection
  • Advanced routing configuration
  • Comprehensive logging of network traffic, both internal and edge

Data Encryption

ServiceTonic encrypts all data both in transit and at rest:

  • Traffic is encrypted using TLS 1.2
  • User data is encrypted at rest across our infrastructure using AES-256 or better
  • All credentials are hashed using a modern hash function

External Security Audits and Penetration Tests

Independent third-party assessments are crucial in order to get an accurate, unbiased understanding of your security posture. ServiceTonic conducts penetration tests on an annual basis using independent auditors.


Physical Security

ServiceTonic cloud infrastructure has no part of our infrastructure retained on-premise and our employees do not have physical access to the infrastructure.

ServiceTonic data centers are hosted on Azure and Hetzner infrastructure, where leading physical security measures are employed.


Disaster Recovery and Backups

ServiceTonic is committed to providing continuous and uninterrupted service to all its customers. We consistently backup user data every day and keep our backups during 30 days. All backups are encrypted and distributed to various locations.

Our Disaster Recovery Plan is tested at least twice a year to assess its effectiveness and to keep the teams aligned with their responsibilities in case of a service interruption.


24x7x365 Monitoring

ServiceTonic cloud infrastructure is constantly monitored and alerts us to any issue before it becomes an issue to our customers, helping keep our systems running and maintain our availability over 99.95%.


Security Awareness and Training

ServiceTonic understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided at least on a yearly basis. Additionally, all employees must sign our internal security policy.


Access Control

We know the data you upload to ServiceTonic is private and confidential. We regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment.