Targetprocess On-Demand Security Notes

Targetprocess SaaS Cloud uses a reliable physical infrastructure and runs on a secure network that's built around data security to ensure that your information remains private, secure and available. Our servers are hosted at “IBM Cloud” (formerly Softlayer), a world-class hosting service company.

IBM Cloud security procedures are based on industry best practices, confirmed by certificates including (but not limited to): ISO 27001, ISO 27018 and PCI DSS. Additional information is available at https://www.ibm.com/cloud/compliance . Targetprocess is using and following practices from applicable NIST SP 800 publications, i.e. SP 800-53.

Facilities

Default data locations for Targetprocess customer instances are:

  • Dallas(DAL05. DAL06, DAL09) as main location and Houston(HOU02) as backup location for North America
  • Amsterdam(AMS01) as main location and London (LON01) as backup location for Europe
  • Melbourne(MEL01) as single location for Australia

Custom data locations are possible for Private Cloud customers.

Network Security Highlights

  • Firewalls from industry leaders to ensure connection security
  • Full network redundancy with Cisco switches throughout the data center
  • Encrypted VPN-only access to production networks. A limited number of users are allowed to access production networks, using the “least privilege” principle.  Mobile-based 2FA enforced for management and VPN connections.
  • Regular network vulnerabilities and anti-virus scans are performed to ensure servers’ security
  • Host level firewalls are enabled and configured to ensure a minimal number of services are exposed

Storage

Database backup strategy.

There are 2 levels of backup for your data. The system is set up to ensure that no data is lost in the event of an emergency on the production server:

  1. The Logshipping mechanism is used at the first level: the transaction logs are transferred to another DB server in same datacenter every 20 minutes, where they are restored immediately so that at each point in time there is a fully functional copy of the production database. Every 7 days, a complete backup is made as well.
  2. The second level involves geographically distributed Cloud Storage. All transaction logs and database .bak files are stored inside ObjectStorage clusters in two locations on different continents. Replication to a location on another continent can be disabled for regulatory reasons per request.

Targetprocess customers can get access to the latest backup of their database upon request. Contact us at support@targetprocess.com for more details.

Other customer data backup strategy.

Other data (including uploaded files and plugin data) is stored on the high-end RAID-enabled NAS. The data is replicated every 15 minutes to another storage system located in a datacenter on a different continent. Regular backups of data are also made to ObjectStorage clusters in two locations on different continents so your information is safe in case of a DC disaster. Replication to a location on another continent can be disabled for regulatory reasons per request.

Server Security

  • Our servers run last versions of Windows and Linux operating systems that are updated to the latest patch weekly, bi-weekly or monthly.
  • Vulnerabities / configuration issues / anti-virus scans are enabled
  • Automated configuration management based on tools from major vendors
  • Performance and security monitoring based on standard and custom tools with e-mail, SMS and push notifications.

Workstations security

Workstations as well as laptops are centrally managed by AD Group Policy with password complexity requirements, forced sleep after 30 minutes of inactivity, and complete Endpoint Protection suite from top-tier vendor  installed with forced daily scans and all modules enabled. VPN connections to corporate resources are available to a limited number of users and are logged and monitored for suspicious activity.

Application Security

  • Each Targetprocess account is a web application with its own database, so no one can access your account from another application. Our Private Cloud edition uses dedicated servers -- details can be found further below.
  • Each user in any Targetprocess On-Demand account has a unique username and password.
  • After authentication, any request to the Targetprocess server is tied to user identity. This keeps your data private, secure and protected.
  • Regular (at least quarterly) vulnerability scans are performed.

It’s important for us to maintain our standards of high quality for our software. After automated testing and manual testing by our QA engineers, every application build goes through the following steps:

  1. Alpha environment.
  2. Beta environment with a limited number of users.
  3. Released into production.

Data Access Policy

Targetprocess support and infrastructure teams may access customer data for troubleshooting, maintenance and/or technical support activities when requested by the customer. We do not disclose or share data or personal information to third parties (see Targetprocess On-Demand Terms of Service and Targetprocess Privacy Policy).  Encrypted VPN connection with logging and 2-factor authentication is enforced.

Background checks are performed for users with access to customer data in the production network.

Secure Transmission and Sessions

Application protocols are secured by TLS 1.2, using certificates from Go Daddy Secure Certification Authority. Individual user sessions are identified and checked with each transaction using the unique authentication cookie that was created at login.

Standard and Private Cloud editions

There are two plans available for Targetprocess cloud customers; the key differences are outlined here:

Feature / EditionStandardPrivate Cloud (Enterprise)
 Application Multi-tenant Dedicated servers
 Database Dedicated database Dedicated servers
 Custom plugins support NO YES
 SAML2.0 Single Sign-On YES YES
 Custom Development support NO YES
  • Orlando Bustamante Pérez

    Do free users also benefit from all these security features or is it only included with the paid version?

    Thanks in advance,
    Orlando

  • https://www.targetprocess.com/ Julia Pastushenko

    Hi Orlando,

    All of these security features are available for free users as well.
    Please let us know if you have more questions on this.

    Best wishes,
    Julia.

  • Bruce Onder

    How are attachments stored? We handle a number of sensitive documents as attachments to requests, stories, etc.

  • Andrey Metelsky

    Hi @bruceonder:disqus

    Uploaded files are stored on the high-end RAID-enabled NAS on linux. This data can be accessed in private network only. VPN connections to corporate resources have two-step verification and available to a limited number of users and are logged and monitored for suspicious activity.

    The data is replicated every 15 minutes to another storage system located in a datacenter on a different continent. Regular backups of data are also made to ObjectStorage clusters in two locations on different continents so your information is safe in case of a DC disaster.

    Andrey M.

  • Bruce Onder

    Thanks!

  • Sabri Sawaad

    Do you provide multi factor authentication for users?

  • http://www.targetprocess.com/guide/ Alex

    If default ‘login + password’ login method is used, then no multi factor authentication is provided. Single Sign-On integration with your custom identity provider may serve as the replacement for the default method. As a result ‘login + password’ pairs are disabled. On the side of your identity provider, you’re welcome to activate multi-factor authentication according to required security policies.
    More information on Single Sign-On: https://www.targetprocess.com/guide/settings/sso/single-sign-on-in-targetprocess/

  • Sabri Sawaad

    Thanks Alex. That looks like an option I can pursue.

Still have a question?

We're here to help! Just contact our friendly support team

Find out more about our APIs, Plugins, Mashups and custom extensions. Join our community of passionate users and even discuss directly with our developers.