Protection of customer data is critical to Ardoq, and information security is considered a high priority by senior management. Read on to learn more about Ardoq’s approach to safeguarding the confidentiality, integrity and availability of information stored and processed by the Ardoq Cloud platform.
Ardoq has established and continues to develop an Information Security Management System (ISMS) that encompasses policies, standards and procedures to ensure information security is addressed as part of the development and operation of the Ardoq Cloud Platform. The ISMS is aligned with ISO/IEC 27001:2013, and aims to address both customer and regulatory security requirements (e.g. GDPR).
Ardoq performs an internal information security risk assessment annually, or more often when significant organizational changes are made. Risk assessments follow a process modelled on NIST Special Publication 800-30 Revision 1.
All Ardoq employees are required to adhere to a Code of Conduct which includes maintaining confidentiality of customer data. Employees receive regular security awareness training and must read and acknowledge Ardoq’s information security policies on an annual basis.
Customer data is processed in a dedicated cloud-based production environment where access is limited to those with a legitimate business need. Administrative access is restricted to specifically authorized personnel whose access rights are reviewed on a regular basis. Multi-factor authentication (MFA) is required for access to production systems and most internal Ardoq business systems.
Ardoq makes extensive use of cloud-native components to operate and secure the SaaS platform, including containerisation, security groups and auto-scaling. Security patches are applied nightly for non-containerised hosts. Containers are built on trusted base images and updated continuously as part of Ardoq’s Continuous Delivery model.
Logs are aggregated from hosts and cloud infrastructure components and monitored using a SIEM. Logs are retained for pre-defined periods.
The Ardoq Cloud Platform is hosted with globally leading cloud infrastructure provider AWS, who are responsible for physical and environmental security. AWS has an extensive security compliance program including certification against ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018 as well as regular SOC 2 (Type II) audits. The audited security controls include dedicated security staff, strictly managed physical access control, and video surveillance.
Data in transit between users and the Ardoq Cloud Platform are encrypted and authenticated using TLS 1.2.
Data at rest stored in the Ardoq Cloud Platform is encrypted using 256-bit AES. Key management is supported by Hardware Security Modules (HSMs) validated under FIPS 140-2.
Ardoq monitors and mitigates against potential attacks with several tools, including a web application firewall, network-level firewalling, and security groups to segregate different processing operations. In addition, the Ardoq platform contains Distributed Denial of Service (DDoS) prevention defenses.
Ardoq employs a Continuous Delivery model. Changes and improvements to the platform are developed and tested on separate branches and merged via Pull Requests. Pull Requests must be reviewed by at least one other developer for quality and security.
Third-party components are automatically reviewed for security vulnerabilities, triaged, prioritised, and updated according to severity.
The Ardoq Cloud Platform is continually subjected to vulnerability assessments, including:
Ardoq's security incident process flows and investigation data sources are pre-defined during recurring preparation activities and exercises, and are refined through investigation follow-ups. We use standard incident response process structures to ensure that the right steps are taken at the right time. Incident response exercises are conducted once per quarter.
Information security is also part of Ardoq’s wider business continuity strategy. The Ardoq Cloud Platform is hosted across several cloud infrastructure availability zones. All customer data is backed up and stored in encrypted form at a separate cloud infrastructure provider. Production environments are instrumented using Infrastructure-as-Code technologies such as Terraform and Ansible, allowing for rapid re-deployment. Disaster response drills are conducted at least twice a year.
Ardoq’s Cloud Platform has undergone a SOC 2 (Type I) audit. The audit was based on the Auditing Standards Board of the American Institute of Certified Public Accountants' current Trust Services Criteria (AICPA TSC 2017). The purpose of the report is to evaluate an organization’s policies and processes relevant to security, processing integrity, availability, confidentiality, and privacy.
Customers and potential customers can download the full audit, and corresponding architecture and policy summaries, by contacting their Ardoq Account Executive or Customer Service Manager.
In addition, Ardoq’s ISMS is aligned with ISO/IEC 27001:2013.