◷ Reading Time: 6 minutes
In this article, we will answer common questions regarding FlexRule’s product and data security compliance.
However, most of the security standards are not applicable to FlexRule since FlexRule is not a SaaS provider.
Information Security & Compliance
Do you provide tenants with documentation describing your Information Security Management Program (ISMP)? | Not Applicable |
Do your information security and privacy policies align with these industry standards: (ISO-27001, ISO-22307, CoBIT, Information Security Regulation (ISR), ADSIC, NESA and so forth)? | Not Applicable |
Do you have documented information security baselines for every component of your infrastructure (ex. Hypervisors, operating systems, routers, DNS servers, and so on)? | Not Applicable |
Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? | Not Applicable |
Do you document how you grant and approve access to tenant data? | Not Applicable |
If users are found to have inappropriate entitlements, are all remediation and certification actions recorded? | Not Applicable |
Do your data management policies and procedures include a tamper audit or software integrity function for unauthorized access to tenant data? | Not Applicable |
Do you have a capability to allow creation of unique encryption keys per tenant? | Not Applicable |
Do you encrypt tenant data at rest (on disk/storage) within your environment? Do you also provide encryption for data in motion and if so, what is the grade/type of encryption deployed? | Not Applicable |
Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, and so forth) for granular analysis and alerting? | Not Applicable |
Is your Privacy Policy aligned with industry standards? | Not Applicable |
Are controls in place to prevent unauthorized access to your application and, program or object source code, assuring it is restricted to authorized personnel only? | Yes. The users require to have a valid login to use FlexRule. |
Are policies and procedures established and mechanisms implemented to protect network environment perimeter and configured to restrict unauthorized traffic? | Not Applicable |
Will you Blacklist or block any malicious user directly trying to brute force Customer through your cloud if cloud identities are used? | Not Applicable |
Do you produce audit assertions using a structured, industry accepted format that is viewable by customers? | Not Applicable |
Do you conduct network/Application/Internal/External penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? | Not Applicable |
Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations? | Not Applicable |
Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant’s data? | Not Applicable |
Do you have policies and procedures in place describing what controls you have in place to protect tenants’ intellectual property? | Not Applicable |
Do you provide tenants with documentation describing your Information Security Management Program (ISMP)? | Not Applicable |
Does your solution/platform support End-User Key Management? | Not Applicable |
Ownership and Security
Who has the ownership of the data that we might hold in your systems? | FlexRule does not hold data in the system. |
If your platform is a Multi-tenant architecture describe how you can ensure that no data bleed happens between companies on your systems? | Not Applicable |
Describe the granularity of roles and the level of access each role has? | Different access levels can be defined for the users. https://resource.flexrule.com/article-categories/access-permissions/ |
What is your Security model from both application access and database? | Not Applicable |
Describe your audit capability in terms of user and data activity? | Not Applicable |
Can you restrict access to certain audit and logging views to certain users/ user groups? | Different access levels can be defined for the users. https://resource.flexrule.com/article-categories/access-permissions/ |
What is the retention period for audit/activity logging? | Not Applicable |
What is the retention period for collaboration data? | Not Applicable |
What is the data allowance comprised of? (i.e. audit, collaboration, data, activity, logging) | Not Applicable |
Can we select/ configure the physical data center location where our data is held? For example to meet with data and USA regulations? | Not Applicable |
Describe any support you have for Single-Sign on? | Does not support single-sign on. |
Do you support native synchronized in-app user/group provisioning capabilities (through API or built in engines) or require additional customization? | Not Applicable |
Describe if the system supports two-part authentication (e.g. SAML) and supports use of RSA SecureID tokens or equivalent for access outside our company internal networks? | Not Applicable |
Users of the system will be in our company Okta single sign on, describe how you will authenticate users? | Not Applicable |
How does your software support multiple user directories or IDP’s? | Not Applicable |
Is any role-based security capability Lightweight Directory Access Protocol (LDAP) compliant to enable control and management of our company directories? | Not Applicable |
How might the system automatically suspend/remove accounts based on removal from our company directories? | Not Applicable |
How a user can be set up and assigned various access rights? | In FlexRule Server you can define access to different roles ● https://resource.flexrule.com/knowledge-base/set-the-ownership-of-package/ ● https://resource.flexrule.com/knowledge-base/roles/ |
What are your authentication approaches? | User login with credentials |
How to restrict access to any private network? | Not Applicable |
How do you restrict access to certain content or functional areas to certain roles? | In FlexRule Server you can define access to different roles ● https://resource.flexrule.com/knowledge-base/set-the-ownership-of-package/ ● https://resource.flexrule.com/knowledge-base/roles/ |
What security accreditations do you hold as a cloud-based platform? | Users require username and password along with a valid license to access any product and it is an annual subscription. |
What is the Quality accreditation you have? | Not Applicable |
Can we carry out periodic Penetration/Performance/Benchmark Testing? | Not Applicable |
Is your site OWASP (Open Web Application Security Project) compliant and what measures do you take against malicious attacks (Denial of Service, Cross Site Scripting and so forth)? | Not Applicable |
Any limitations on the number of organizations/ users we could set up within your system? | Not Applicable |
Is access to the cloud service encrypted (user and API)? | Not Applicable |
Reporting Vulnerabilities
You can contact us via support@flexrule.com.