What services will we receive and what will be included in the service level agreement?
Samepage is a cloud-based product that can be accessed by customers via:
Samepage should be available with the features listed on our website for 99.99% of the time in any given calendar month.
What performance measures do you use to assess service availability?
Continuous testing using multiple availability tools such as Pingdom.
The health of the core services can be viewed at http://status.samepage.io
Are any Samepage services outsourced to a third party? If so, please explain.
We use Amazon Web Services to run Samepage production infrastructure and databases. Affiliated resellers are sometimes involved in the sales process, namely in helping onboard newly signed up customers. Beyond that, we do not outsource any business or technical services to 3rd parties.
How do you calculate availability or uptime (i.e. time intervals, etc.)?
SLA: Samepage service will be available 99.99% of the time in any given calendar month period.
What is your uptime history?
The uptime history can be viewed on our status page: http://status.samepage.io.
What reports will be delivered to customers regarding system reliability?
System status page at http://status.samepage.io. Atom/RSS feeds are available for subscription to the system status page.
What controls are in place to ensure information is properly secured against unauthorized access, change, and destruction?
The production systems can be only accessed by a carefully selected and specially trained Operations team. Access to production systems is controlled via 2FA authentication and logged. Data are replicated and backed up.
What employees or subcontractors or other third parties will have access to customer information and how is their access controlled?
Only the Operations team has access to the production systems. No subcontractors or any other 3rd party have access to the systems.
The Customer Success and Sales teams have access to customer data inside SalesForce but data is limited to usernames, email addresses, telephone numbers (if provided by the user), and limited billing information. In addition, global stats about users activity is also available, i.e. number of teams created, number of chat messages, etc.
How are system administrators monitored for their access to customer data?
Administrators actions are logged into the access log.
What is your vulnerability remediation process (how often are the reports reviewed and what actions are taken)?
We patch critical vulnerabilities such as RCE (Remote Code Execution) immediately after we become aware of them. We monitor disclosure databases and security forums on a daily basis.
Please describe your patch management process.
We use a continuous development and deployment process. That enables us to deploy patches immediately as they become available.
What is your employee background check policy?
Most of our technical personnel is located in the EU where background checks are limited by law. Instead, extensive screening of the applicants and supervision is used.
How is physical and logical access to your information systems controlled?
Physical access: Our production systems are run in AWS North American data center. Physical access to those systems is controlled by Amazon.
Logical access: The production systems can be only be accessed via encrypted connections (SSH, HTTPS). We aim to adhere to the principle of the least privilege and access model as a general rule.
Is multi-factor authentication used for privileged users accessing systems remotely?
What kind of regular reviews and audits are done on privileged user account use and access levels?
We perform a monthly review and audit of privileged user account use and access levels.
How does your systems and data architecture ensure the integrity and isolation of client's data in a multi-tenant environment?
Authenticated sessions, OAuth and tenant membership is used in logic that controls data access.
Is customer data encrypted at rest? What type of encryption is used and how are keys managed?
Data stored in AWS are encrypted using AES-256 cipher. Encryption keys are either managed internally or by Amazon depending on the type of service.
What controls are in place to prevent, detect, and react to breaches?
We continuously collect and regularly analyze logs from our systems.
How are customers notified if a breach occurs?
Upon discovery of a data breach:
We first determine the extent of the breach and the type of data which has been breached, as well as the identity of PII subjects.
Once we establish the identity of all PII subjects, notification is delivered by email and as prescribed by the California Civil Code S. 1798.82
How are employees trained and educated with respect to privacy and security?
We maintain and publish an internal Security Awareness Policy that all team employees must adhere to.
Do you have physical security practices in place to protect against physical attacks?
All production and customers data are stored in Amazon. Amazon Web Services Inc. runs the physical data centers and provides protection against physical attacks.
What authentication and access control mechanisms do you support?
Customers authenticate to Samepage using a combination of username and password. Customers can also use single-sign-on with their own identity system.
What controls are in place to compartmentalize administrators' job responsibilities to protect against insider threats?
The operations team has full access to all production systems. We aim to adhere to the principle of the least privilege and access model as a general rule.
What are your procedures for vetting privileged users?
Privileged users are vetted directly by the VP of Engineering.
What type of authentication is supported (i.e. strong, two-factor, etc.)?
Customer authentication using username and password, or using SSO is supported. We do not directly support multi-factor authentication at this time.
Do you allow remote administrative access to the cloud infrastructure?
The production systems are accessed remotely via encrypted / secure connections. All production systems use multi-factor authentication.
Upon authentication through customer's identity management, can the user access the cloud service without further authentication (i.e. single sign-on)?
Yes, we support single-sign-on using services like Okta, ADFS.
Where will our information reside? What is the geographic location of data center facilities?
AWS – Oregon region (us-west-2).
Is your data center (and all backup locations) within the United States? Will all data remain within the U.S.?
Yes and Yes.
What type of third-party assurance regarding internal controls do you receive (e.g., SSAE16/SOC 2)? May we receive a copy of the latest report?
We do not perform external audits of internal controls. However, regular external reviews are planned in the future.
Do we have a right to audit to validate controls?
Our customer base consists mainly of small and medium sizes business, which makes it impractical to offer such right. However, we may make exceptions in specific cases.
Do you have a single individual who has ultimate responsibility for information security program and compliance? If so, to what level of the organization does that individual report?
Our VP of Engineering has the formal responsibility for Samepage’s information security program and compliance efforts. VP of Engineering reports directly to the company CEO.
How long have you been in business? Is your organization willing to share its financial statements?
Samepage has been a part of Kerio Technologies until end of 2016. Kerio Technologies has been in business since 1997. Since 2016 Samepage Labs is an independent entity. We are a private company and we do not share our financial statements.
How often do you back up customer data?
We rely on replication of all files and databases. Files are stored in AWS S3 and databases are backed up daily.
Do you have disaster recovery and business continuity plans in place?
Are business recovery procedures tested periodically?
What recovery time can we expect? What is the recovery point objective? Recovery time objective?
RPO = 48 hours
RTO = 240 hours
Do any contractual provisions transfer intellectual property rights and/or ownership rights of customer’s data?
No. To the contrary, we provide contractual guarantees that customers own their own data.
Do you produce audit reports on a regular basis that are conducted by reputable 3rd party experts? How often does the provider have their info security program audited?
We do not hire 3rd parties to conduct audit reports.
What technologies and processes are in place to monitor security audit data such that security events and incidents are handled expediently?
A dashboard system collecting logs and events is monitored by our Operations team.
What are your breach notification practices and how are customers notified in the event of a security breach?
The first informative letter is sent to all affected customers right after the initial assessment of the data breach. After the conclusion of a full investigation, a detailed report is provided to the customers.
Are you HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT) compliant? What is the process of obtaining BAA?
Yes, we are HIPAA compliant. If you, or in case you are a Samepage reseller, your customers require BAA, please send email to firstname.lastname@example.org to initiate the conversation about the BAA process.
Are you GDPR (General Data Protection Regulation) compliant?
Are you ISO 27002 compliant?
No. While we may meet many provisions of the ISO 27002 standard, we primarily focus on meeting the requirements of the United States and European Union laws that are expressed in HIPAA and GDPR acts as discussed above.
What are your policies for incident response and recovery, including forensic analysis capabilities? Do you have an internal investigation process related to the illegal or inappropriate use of IT resources? How are incident handling responsibilities defined in service agreements?
We have an Incident Response Process. An incident is everything which affects our customers except beta testers and prevents them from using Samepage. Issues are immediately communicated to Samepage customers on our Status page (http://status.samepage.io).
For more information, please visit our Data Security page.