Information Security

Protection of customer data is critical to Ardoq, and information security is considered a high priority by senior management. Read on to learn more about Ardoq’s approach to safeguarding the confidentiality, integrity and availability of information stored and processed by the Ardoq Cloud platform.

Information Security Management

Ardoq has established and continues to develop an Information Security Management System (ISMS) that encompasses policies, standards and procedures to ensure information security is addressed as part of the development and operation of the Ardoq Cloud Platform. The ISMS is aligned with ISO/IEC 27001:2013, and aims to address both customer and regulatory security requirements (e.g. GDPR).

Ardoq performs an internal information security risk assessment annually, or more often when significant organizational changes are made. Risk assessments follow a process modelled on NIST Special Publication 800-30 Revision 1.

Organizational Security

All Ardoq employees are required to adhere to a Code of Conduct which includes maintaining confidentiality of customer data. Employees receive regular security awareness training and must read and acknowledge Ardoq’s information security policies on an annual basis.

Access Control

Customer data is processed in a dedicated cloud-based production environment where access is limited to those with a legitimate business need. Administrative access is restricted to specifically authorized personnel whose access rights are reviewed on a regular basis. Multi-factor authentication (MFA) is required for access to production systems and most internal Ardoq business systems.

Operations Security

Ardoq makes extensive use of cloud-native components to operate and secure the SaaS platform, including containerisation, security groups and auto-scaling. Security patches are applied nightly for non-containerised hosts. Containers are built on trusted base images and updated continuously as part of Ardoq’s Continuous Delivery model.

Logs are aggregated from hosts and cloud infrastructure components and monitored using a SIEM. Logs are retained for pre-defined periods.

Physical and Environmental Security

The Ardoq Cloud Platform is hosted with globally leading cloud infrastructure provider AWS, who are responsible for physical and environmental security. AWS has an extensive security compliance program including certification against ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 as well as regular SOC 2 (Type II) audits. The audited security controls include dedicated security staff, strictly managed physical access control, and video surveillance.

Cryptography

Data in transit between users and the Ardoq Cloud Platform are encrypted and authenticated using TLS 1.2.

Data at rest stored in the Ardoq Cloud Platform is encrypted using 256-bit AES. Key management is supported by Hardware Security Modules (HSMs) validated under FIPS 140-2.

Communications Security

Ardoq monitors and mitigates against potential attacks with several tools, including a web application firewall, network-level firewalling, and security groups to segregate different processing operations. In addition, the Ardoq platform contains Distributed Denial of Service (DDoS) prevention defenses.

Software Development Lifecycle (SDLC) Security

Ardoq employs a Continuous Delivery model. Changes and improvements to the platform are developed and tested on separate branches and merged via Pull Requests. Pull Requests must be reviewed by at least one other developer for quality and security.

Third-party components are automatically reviewed for security vulnerabilities, triaged, prioritised, and updated according to severity.

The Ardoq Cloud Platform is continually subjected to vulnerability assessments, including:

  • Dynamic scans: Ardoq tests for potential vulnerabilities on a weekly basis.
  • Bug bounty program: Ardoq crowd-sources vulnerability research through an invite-only bug bounty program managed by HackerOne.
  • Annual penetration test: Ardoq contracts an external third party to conduct an annual penetration test of the Cloud Platform to augment the other assessments.

Information Security Incident Management

Ardoq's security incident process flows and investigation data sources are pre-defined during recurring preparation activities and exercises, and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time. Incident response exercises are conducted once per quarter.

Business Continuity Management

Information security is also part of Ardoq’s wider business continuity strategy. The Ardoq Cloud Platform is hosted across several cloud infrastructure availability zones. All customer data is backed up and stored in encrypted form at a separate cloud infrastructure provider. Production environments are instrumented using Infrastructure-as-Code technologies such as Terraform and Ansible, allowing for rapid re-deployment. Disaster response drills are conducted at least twice a year.

Compliance

Ardoq’s Cloud Platform has undergone a SOC 2 (Type II) audit. The annual audit is based on the Auditing Standards Board of the American Institute of Certified Public Accountants' current Trust Services Criteria (AICPA TSC 2017). The audit report provides a third-party attestation of the organization’s policies and processes relevant to security.

SOC 2 type ii

Customers and potential customers can download the full audit, and corresponding architecture and policy summaries, by contacting their Ardoq Account Executive or Customer Service Manager.

Ardoq is listed in the Cloud Security Alliance's Security, Trust, Assurance and Risk (STAR) registry. Customers and prospective customers can view our STAR Level 1 entry and access our completed CAIQ here.

In addition, Ardoq’s ISMS is aligned with ISO/IEC 27001:2013.

csa cloud security alliance logo csa cloud security alliance corporate membership saas solution provider badge