This document outlines Syncari’s approach to security and compliance for our Cognitive Synchronization Platform. The Syncari technology allows businesses to organize, cleanse, and synchronize data across the enterprise. Within Syncari’s Nucleus, we are able to utilize machine learning to deliver data quality improvements with enhanced merging, deduplication, data corrections, and conflict resolution algorithms.
The purpose of this whitepaper is to describe our current security posture and share how we are continually improving our security practices. It also describes organizational and technical controls Syncari uses to protects our customers’ data.
Syncari has created a vibrant and inclusive security culture for all employees. The influence of this security-minded culture is apparent from the time an employee is onboarded and extends to ongoing awareness and training.
Before we invite anyone to join our staff, we verify their previous employment, and we perform internal and external reference checks. Where local labor law or statutory regulations permit, Syncari may also conduct criminal, credit, and security checks. The extent of these background checks is dependent on the desired position. We also participate in the Department of Homeland Security’s E-Verify program to ensure a candidate’s immigration or work status is valid.
All pertinent Syncari employees undergo system and security training as part of the initial onboarding process. During this onboarding, new employees review and agree to our privacy policies, which highlights our commitment to keep customer information safe and secure. We instruct new engineers and DevOps personnel, on topics such as secure coding practices, secure product design and automated testing and deployment tools.
Security and privacy is a continually evolving area, and we recognize that employee commitment is a key means of increasing awareness and security. Syncari meets regularly for internal chats with pertinent team members to raise awareness and drive innovation in security and data privacy. Our CEO, CTO and key Engineering members have worked in highly sensitive data environments prior and further amplify the need to keep our customer’s data secure at all costs.
Syncari employs security and privacy professionals, who are part of our software engineering and DevOps team. This team includes members with many years of experience in application and network security, especially for PII-sensitive SaaS offerings. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure and implementing Syncari’s security policies.
Syncari’s security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews. In addition, the team performs third-party penetration tests annually that include external break-in, and blackbox and whitebox testing of our environments.
The Syncari team also includes members who have been instrumental in building and maintaining privacy practices. This team operates at the executive level of the organization, but participates in every Syncari product launch by reviewing design documentation and performing code reviews to ensure that privacy requirements are followed. The privacy team oversees abuse complaints and conducts research on privacy best practices for our emerging technologies.
The Syncari Executive team and Board of Directors understand that operational and security excellence are an integral part of our business. To that end, it has instituted the use of various best-practice measures designed to provide a strong security foundation.
Syncari administrates a vulnerability management process that actively scans for security threats using a combination of:
The Syncari Engineering, DevOps and Security management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized per severity, and assigned an owner. The vulnerability management team tracks such issues and follows up frequently until it verifies that the issues have been remediated.
An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Syncari takes these threats to its networks and its customers very seriously and uses a variety of methods to prevent, detect and eradicate malware.
Syncari makes use of multiple antivirus engines in Gmail, Google Drive, and workstations to help identify malware that may be missed by antivirus signatures.
Syncari’s security monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open-source tools for traffic capture and parsing.
We operate a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. Syncari’s security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61). Key staff are experienced in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools.
The Syncari Distributed Data Management Platform runs on Google Cloud Platform and follows Google’s best practices for security of our product and services. As a result, all the benefits of Google’s technology and security practices are passed through to our customers. Google is an innovator in hardware, software, network and system management technologies. It custom-designed its servers, proprietary operating system, and geographically distributed data centers. Using the principles of “defense in depth,” Google created an IT infrastructure that is more secure and easier to manage than more traditional technologies.
Google’s focus on security and protection of data is among its primary design criteria. The Google data center’s physical security features a layered model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. These data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. The data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. As you get closer to the data center floor, security measures also increase. Access to the data center floor is only possible via a security corridor that implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Google’s employees will ever set foot in one of these data centers.
To keep things running 24/7 and ensure uninterrupted services, Google’s data centers feature redundant power systems and environmental controls. Every critical component has a primary and alternate power source, each with equal power. Diesel engine backup generators can provide enough emergency electrical power to run each data center at full capacity. Cooling systems maintain a constant operating temperature for servers and other hardware, reducing the risk of service outages. Fire detection and suppression equipment helps prevent damage to hardware. Heat, fire, and smoke detectors trigger audible and visible alarms in the affected zone, at security operations consoles, and at remote monitoring desks.
Syncari customers own their data. The data that customers put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties. We offer our customers a detailed data processing amendment that describes our commitment to protecting customer data. It states that Syncari will not process data for any purpose other than to fulfill our contractual obligations. Furthermore, if customers delete their data, we commit to deleting it from our systems within 30 days. Finally, we provide tools that make it easy for customers to take their data with them if they choose to stop using our services, without penalty or additional cost imposed by Syncari.
To keep data private and secure, Syncari logically isolates each customer’s data from that of other customers and users, even when it’s stored on the same physical server. Only a small group of Syncari employees have access to customer data. Access rights and levels are based on the Syncari employee’s job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. In addition, Syncari employees are only granted a limited set of default permissions to access company resources, such as employee email and Syncari’s internal employee portal. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Syncari’s security policies. Approvals are managed by workflow and ticketing tools that maintain audit records of all changes. These tools control both the modification of authorization settings and the approval process to ensure consistent application of the approval policies. An employee’s authorization settings are used to control access to all resources, including data and systems used to power Syncari’s products. Syncari team member access is monitored and audited by our security, privacy, and audit partners.
Within customer organizations, the subscription owners configure and control administrative roles and privileges for Syncari’s Intelligent Synchronization Platform.
The customer, as the data owner, is primarily responsible for responding to law enforcement data requests. However, like other technology and communications companies, Syncari may receive direct requests from governments and courts around the world about how a person has used the company’s services. We take measures to protect customers’ privacy and limit excessive requests while also meeting our legal obligations. Respect for the privacy and security of data our customers store with Syncari remains our priority as we comply with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Syncari’s policies.
Syncari directly conducts all data-processing activities to provide our services but leverages Google’s Cloud Platform for its infrastructure. In addition, Syncari may engage with other third-party providers for services related to Syncari’s Intelligent Synchronization Platform, including customer and technical support. Prior to onboarding third-party suppliers, Syncari assesses their security and privacy practices to ensure they provide levels appropriate to their access to data and the scope of the services they are engaged to provide. Once Syncari has assessed the risks presented by the third-party supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms.
Because our customers operate across regulated industries, including finance, pharmaceutical and manufacturing, they have varying regulatory compliance needs. Our clients.
Syncari can provide HIPAA Business Partner Agreements and complies with Gramm-Leach-Bliley Act (GLBA) of 1999 practices for securing infrastructure and applications. Syncari is also working toward it’s SOC2 and is expected to have first Type I audit completed by July 2020.
Syncari’s Intelligent Synchronization Platform allows businesses to deliver holistic and comprehensive data management where each department recognizes the full benefits of using their operational systems. Organizations will now have all the required information available to operate efficiently and without the overhead of ancillary integration and data aggregation platforms.