Security and Data Privacy
We’ve gone through numerous security assessments with our customers, and we know that security matters for a high-quality B2B SaaS. We cannot provide all (sensitive) details here but are happy to share further information on request or as part of an approval process.
Is SIGNL4 GDPR compliant?
GDPR compliance
SIGNL4 is fully GDPR compliant. Our European Data Center is in Amsterdam, Netherlands (Microsoft Azure Data Center).
Data Processing Agreement
For best GDRP compliance and for customers in the European Union, we do provide for a full data processing agreement which can be examined here and, if needed, signed electronically.
Data Privacy Policy
You can find our data privacy policy here.
Certifications
Are SIGNL4 data centers certified (SOC2, etc)?
SIGNL4 is hosted on Microsoft Azure. Azure data centers do have various certifications including SOC2. Read more here
Does SIGNL4 have any security certifications (ISO 27001, TISAX)?
SIGNL4 is TISAX-certified. This means SIGNL4 is operated under a strict information security management framework. Information about the certification will be shared on request or through the ENX Portal.
Do you encrypt my data?
Full at-rest encryption
Storage of SIGNL4 data in Azure is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
Full in-transit data encryption
Service connectivity is secured via SSL (REST) and TLS (SMTP). We also encrypt communication between our node-clusters and internal applications based on TLS 1.2.
Partial in-use data encryption
We encrypt/hash certain content like service passwords and 3rd party tool service account passwords and compare only hashed data. Certain logical operations on content like keyword matching algorithm however require decrypted processing.
Which TLS version do you support/enforce?
We do not enforce a TLS version but do support TLS 1.2.
Authentication
What is the foundation of your authentication methods?
Authentication of the mobile app is token-based and data are automatically erased from the mobile device if no valid authentication is provided. The authentication against external providers like Microsoft Azure AD is also based on tokens. Please, contact us in case you require more details.
Do you support MFA?
We currently support MFA (multi-factor authentication) through Microsoft Azure AD, Google and Apple authentication if you enable MFA with these providers. For our custom login, we have plans to implement MFA.
Data Security and Protection
Where are my data, where is SIGNL4 hosted?
SIGNL4 is hosted in a European (EU) data center of Microsoft Azure.
Do you have a firewall in place?
Yes, of course. The SIGNL4 cluster is protected by a commercial firewall.
Do you have a data retention policy in place? Can I delete my data?
Yes. You have full control over your data. If you choose to delete your account, we delete all your data. We fully operate under European GDPR.
As long as your account is active, we retain your data. We retain notification/message/event data up to 12 months, depending on your subscription plan.
How do you segregate customer data?
SIGNL4 is a public SaaS. So, we’ve implemented logical data segregation in our code based on client and API keys. This prevents access to any data except your own, including through our API.
Do you have key and password management policy?
Yes. API keys and passwords (customer login) are stored in hashed format. API keys are only shown once to the user upon creation.
How do you protect access to data by your employees?
We have a wide range of policies (TOMs – technical and organizational measures) in place, ranging from physical access control, digital access rights control, multi-factor authentication and so on. Please, refer to our Data Processing Agreement for more details.
Do you perform SAST/DAST/PEN checks?
Yes, we have continuous DAST (Dynamic Application Security Testing) running, using a commercial tool on at least a weekly basis. We can provide you with reports as part of a security assessment.
We also perform SAST (Static Application Security Testing) as well as SCA (Source Code Analysis) testing. Manual PEN testing has been conducted lately.
Business Continuity
Do you have a disaster recovery policy in place? How about backups?
Yes. First of all, SIGNL4 is a multi-node cluster application with inherent high availability and failover. Our DR also includes daily off-site backups, resulting in a RPO (Recovery Point Objective) of 24 hours. We are also using 3rd party services, making sure those meet or exceed our own availability goals.
You can track our uptime of 99.99% here: https://status.signl4.com