Technical and Organizational Security Measures (TOMs)
Last Published: April 22nd, 2024
Technical and Organizational Security Measures (TOMs)
These Technical and Organizational Measures (“TOMs”) to ensure the security of the Cloud Service (“Service”) form a part of the Fortanix Terms of Service (the “Agreement”) or any other agreement(s) entered into between you or the entity which you represent (“Customer”) and Fortanix, Inc. (“Fortanix”).
|
MEASURE |
Description |
|
MEASURES FOR FORTANIX’S EMPLOYEES IDENTIFICATION, ACCESS AND AUTHORISATION |
Fortanix enforces the principle of least privilege for IT systems. Access to designated systems and data is limited to personnel for whom access is required based on job function. Access to all systems is deleted or suspended upon termination of employment. Employees access the systems via a secure 2FA enabled VPN. The VPN software continuously validates the compliance status of the connecting device. Access lists for corporate systems are audited quarterly. |
|
MEASURES FOR ENSURING THE ABILITY TO RESTORE THE AVAILABILITY AND ACCESS TO PLATFORM SERVICES IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT |
Fortanix maintains disaster recovery and business continuity plans to ensure that critical business functions are identified, and mitigating controls are in place against any event that may impact the availability and/or access to the data required in connection to the Service. The plans are tested annually to ensure that the determined Recovery Point Objective and Recovery Time Objective are met in the event of a physical or technical incident that would affect the availability of the Service.
|
|
PROCESSES FOR ENSURING ONGOING SECURE OPERATIONS |
As part of the software development lifecycle, the Fortanix Engineering team routinely scans Fortanix software using industry standard tooling to identify any potential vulnerabilities. All infrastructure of the Service is part of this ongoing vulnerability monitoring. Vulnerability scans are performed based on specific PCI-DSS requirements. Logging is forwarded to and analyzed by a central SIEM system. Alerts are sent to security personnel 24/7. In addition to scanning its codebase and infrastructure, Fortanix regularly engages a third-party to conduct penetration tests of the Service which are performed at least annually. |
|
MEASURES FOR THE PROTECTION OF DATA DURING TRANSMISSION |
Where applicable, Fortanix ensures encryption in transit for all communications between Customers and the Service itself via mutually authenticated TLS, known as mTLS. Only secure transfer protocols (TLS, SSH, etc.) are used to transfer data from one system endpoint to another. |
|
MEASURES FOR THE PROTECTION OF CUSTOMER DATA DURING STORAGE |
Any Customer Data stored by the Service is encrypted while at rest. Customer Data stored by the Service is replicated in separate locations within a geographical region.
|
|
MEASURES FOR THE PROTECTION OF CUSTOMER DATA DURING USE |
Any Customer Data processed by the Service while in use is processed in a confidential computing environment. All cryptographic operations performed upon Customer Data are conducted within an attested Trusted Execution Environment (TEE). A TEE is a secure area of a main processor which prevents unauthorized access or the ability to alter data.
|
|
MEASURES FOR ENSURING PHYSICAL SECURITY OF LOCATIONS FROM WHICH SERVICES ARE PROVIDED |
Locations from which the Service is provided are secured by a physical key, electronic access key or both, and employ the use of video security and alarm systems. |
|
MEASURES FOR ENSURING ACCOUNTABILITY |
Actions taken are logged in an immutable encrypted audit log. Customers may set up and forward their audit logging to their logging system via syslog integration. Fortanix ensures accountability through the logging of (privileged) access activity that is stored in a SIEM.. All Fortanix employees are required to abide by a data handling and classification program, any violation of these requirements will result in disciplinary procedures up to and including termination. |
|
MEASURES FOR INTERNAL IT AND IT SECURITY GOVERNANCE AND MANAGEMENT |
Fortanix has implemented an information security management program designed around the ISO27001 standard to ensure effective internal IT security governance and management. This includes internal and third-party audits performed on an annual basis to verify the functioning of the ISMS. |
|
MEASURES FOR CERTIFICATION/ASSURANCE OF PROCESSES AND SERVICE |
Fortanix conducts third party audits of the Service through a SOC 2 Type II Report as issued by the American Institute of Certified Public Accountants. Fortanix also maintains ISO27001 certification. Fortanix maintains a PCI-DSS SAQ D attestation with respect to the Key management service. Upon request Fortanix will share or provide evidence that a third-party audit was conducted. Fortanix has implemented and maintains a comprehensive, written information security program that is reviewed and updated at least annually in accordance with industry recognized standards and practices, such as ISO 27001 and PCI-DSS. |
|
MEASURES FOR ENSURING DATA MINIMISATION |
Fortanix processes only Customer Data which is relevant and necessary for the provision of the Service. |
