Optiwiz Cloud information security and risk governance
Optiwiz Cloud is committed to protecting its customers’ and users’ data. Our key objectives are:
- Customer trust and data protection. We aim to consistently deliver high-quality products and services to our customers while safeguarding the privacy and confidentiality of their information.
- Continuity of service. We ensure continuous availability of the service and data to all our customers and minimize the security risks that might affect service continuity.
- Compliance with standards and best practices. We continuously upgrade our processes and controls to align with current global regulatory and industry best practices. We have designed our security framework around the best guidelines for cloud security.
- Information and service integrity. We ensure that our customers’ information is never corrupted or altered inappropriately.
We have invested heavily in advanced resources and controls to protect and service our customers. We have highly skilled teams that oversee the data security program and the governance processes. We continuously refine our existing controls and security framework.
Optiwiz Cloud information & cybersecurity controls
- Optiwiz information security, data privacy, and risk governance framework
Optiwiz Cloud respects the data privacy of all our clients. Data privacy is applicable to all personal information we acquire and process across Optiwiz Cloud platforms. Every Nectorian is committed to protecting the privacy and security of the data. Our information security professionals have followed data privacy and risk governance framework with the most advanced set of technology, processes, and skills.
- Optiwiz Cloud platform security
Optiwiz Cloud, being an intelligent full-stack customer engagement & experience platform, assures Confidentiality, Integrity, and Availability (CIA) with high performance and scalability. We follow all the information & cybersecurity best practices as stated below.
We maintain end-to-end data confidentiality through an appropriate access control system that is fortified with two-factor authentication, complex password policies, and encryption technologies.
We maintain data integrity with appropriate accuracy and completeness. Identity access management and logging/monitoring controls are implemented to prevent data from unauthorized access and modification. Data is maintained and processed with consistency and trust throughout the data life cycle at Optiwiz Cloud.
Maximum uptime is assured across Optiwiz platforms. Information security measures (business continuity, disaster recovery, data backup, and infrastructure redundancy) are thoroughly implemented.
- Data privacy
Data privacy is of prime importance at Optiwiz Cloud. We do not sell or share any of our client’s data to any third party. None of client’s data is misused internally by any Optiwiz Cloud employee. Security controls implemented at Optiwiz Cloud platforms ensure that data stays private and unaltered. Data Privacy Officer, an enterprise security leadership at Optiwiz, maintains all internal data privacy compliances through data protection practices.
- Information Security Compliance Management
Optiwiz Cloud ensures that all the platforms meet industry-standard information security compliance requirements and certifications. We are ISO 27001:2013 certified, a globally recognized ‘Information Security Management System’ which covers people, process and technology and is in line with the Statement of Applicability at Optiwiz Cloud. We maintain compliance with the EU Privacy Shield. Our platform also contains features that enable our customers to easily achieve and maintain their General Data Processing Regulation (GDPR) compliance requirements.
- Application & network security
We have built a multi-layered network defense system by investing in advanced network security technology to protect our infrastructure and data from internal and external threats. Application architecture is designed with multi-layer security components. Next Gen Firewalls are deployed at network and application perimeter level with advance features like IDS/IPS, SSL/TLS encryption, VPN, network segmentation, network encryptions, DDoS protection etc. Applications are enabled with secure API’s, Input validations, stringent group policies, OWASP guidelines etc.
- Vulnerability management
Our information security professionals perform stringent VAPT scans across Optiwiz infrastructure using multi-layered approach through industry-recognized tools to identify ongoing vulnerabilities and maintain minimum vulnerable and risk-free environment. We work closely with Cert – In empaneled IT Security team to execute scans.
- Application development and release management
We constantly improve our products through a modern continuous delivery approach to software development. Code development happens on frequent basis. Code reviews and quality assurance are performed by specialized teams of engineers with in-depth knowledge of the Optiwiz platforms. Approval is controlled by designated repository owners. Once approved, code is automatically submitted to Optiwiz Cloud’s continuous integration environment where compilation, packaging and unit testing occur. If all passes, the new code is deployed automatically across the application tier. Test, UAT and production environments are maintained separately.
- Data encryption in transit & at rest
Data in transit is encrypted with HTTPS/TLS v1.2-1.3 protocol and data at rest is encrypted with various latest encryption protocols.
- Identity and access management
Access control policy is established and maintained through right set of access control tools and well-designed access control model. Optiwiz infrastructure is controlled through PIM tool, VPN, AD and multi factor authentication.
- Data retention policy
Data retention period for each client is reviewed on timely basis and data is retained at Optiwiz platforms as per default data retention policy. We offer customized retention periods on request. Data is purged on customers’ request and purging certificate is issued to clients.
- Smart data center strategy with multi-layer security
Optiwiz hosts its product infrastructure to leading and tier 3 trusted data centers. Data centers provides high level of physical, environmental and network security. Providers maintain ISO 27001:2013 /SOC 2 Type II security compliances. Facility uptime is guaranteed between 99.95 to 99.99% along with power redundancy and HVAC services.
- Optiwiz corporate physical & environment security
Optiwiz offices are secured in multiple ways. All sites are well equipped with biometric access controls, fire suppression system, fire extinguishers, CCTV, fire alarms, water sprinklers, smoke detectors, UPS, etc.
- Endpoint security controls
All endpoints are hardened and configured as per Optiwiz hardening policy based on industry baseline standards. Anti-Virus and DLP is deployed on all endpoints. USB port, Print screen, and access to printer is disabled. Internet restrictions are enabled as per user role. Outbound restrictions are enabled on users email ID as per user role and responsibility.
- Baseline hardening and patch management
Each device and software product used within the Optiwiz infrastructure environment is hardened and configured as per respective baseline standard. Patch management is executed on timely basis.
- Back up strategy
We ensure that data is replicated and backed up in multiple durable data stores on defined frequency. All backups are protected through access control restrictions and encryptions across Optiwiz networks. Retention period of back up is defined.
- Risk assessment
Our enterprise risk management teams have developed and implemented effective enterprise wise risk management program and executes continual risk assessment exercises to identify risks within the environment. This helps us in regular minimizing of the overall risk exposure.
- Database security
Optiwiz database servers are deployed in internal network zone with limited and restricted access controls. Databases are logically segregated and protected with access and password security. Database are properly configured and hardened as per baseline standards. Only authorized and authenticated personnel can access the database. Data at rest is encrypted with various encryption protocols.
- Change management
We have a Change Management Board that reviews, evaluates, prioritizes, and monitors requested changes according to standard change management processes.
- Human resource security
Our HR Team ensures that all employees are qualified for and understand their roles and responsibilities of their job duties and they comply with the security practices throughout their lifecycle.
- Information security policy and awareness program
Information security policy is designed and implemented across Optiwiz Cloud to ensure effective implementation and maintenance of Information Security Management System. Well-designed multi-level information security training and awareness program is offered to all new and existing employees to educate them about the security requirements and practices.
- Employee’s background checks
All our employees undergo an extensive third-party background check (criminal, residential, professional) prior to formal employment offers. Reference verification is performed at the hiring manager’s discretion. All employees comply with the Non-Disclosure Agreement and Acceptable Use Policy to be able to access corporate and production networks.
- Incident management
We provide 24x7x365 support to respond promptly to all security and privacy-related events. Our dedicated incident management team continuously monitors the alerts, reviews all security events- both suspected and proven, and takes necessary actions. Appropriate tools are deployed which generate alerts/logs on a real-time basis.
- Business continuity & disaster recovery strategy
Our information technology & information security professionals have built efficient business continuity plans considering people, processes, and technology to run all essential functions during the disruption of services. The disaster recovery strategy is defined with Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Document scope and use
Optiwiz Cloud values transparency in its services. This document has been created with that transparency in mind. Our aim is to continuously improve the security measures we follow, and, along those lines, the information in this document is not intended to create a binding or contractual obligation between Optiwiz Cloud and any parties, or to alter or revise any existing agreements and contracts between the parties.