As a software provider, Acquiro, Inc. is committed to providing highly secure and reliable software. Our SaaS platform is hosted in a state of the art data centre. Additionally, our engineers utilize proven and state-of-the-art security technologies and techniques in order to protect all systems, data, and information from unauthorized access in the best possible way.
Our servers are located in a secure data center in Montreal, Quebec, Canada. All Interceptum data is stored exclusively in our Canadian data center; it does not float around in the "cloud". The Data Centre is managed by the Internap Corporation - INAP (see http://www.inap.com).
Compliance & Accreditations
In addition, all data is processed in that location, and is never moved to another jurisdiction. In other words, all data is collected in Canada, all data is processed in Canada.
Only authorized employees of Interceptum Systems, Inc. can access the servers. Our security experts regularly patch our servers for any new vulnerability that get disclosed. Access to our servers is restricted to specific individuals, whose access is monitored and audited for compliance.
The Interceptum services are protected by strong authentication and authorization to ensure only authorized users can access and modify data. Each user in your Interceptum account has a unique user name and password.
The Interceptum services also offer full auditing capabilities so that any data modifications can be traced back to the user who made the change.
Data Retention / Backups
Acquiro Systems creates a nightly backup on a daily basis at around 2:00 ET. Acquiro Systems preserves the backups for a period of 180 days. After 180 days, the backups are permanently deleted and the data can no longer be recovered.
Acquiro Systems stores the backups on a secured remote server separate from the operational servers running the Interceptum services to ensure no data is lost in case of a catastrophic failure of the operational servers. The backup servers are located in the same jurisdiction as the operational.
Acquiro Systems shall permanently destroy all data deleted via the Interceptum services graphical user interface (GUI) or Web Services and APIs after 180 days once the deletion is performed using the services. Once deletion is performed, the data is immediately no longer accessible via the operational servers. The deleted data will only be available via the nightly backups until the backups are permanently deleted.
Acquiro Systems uses state of the art strong encryption when the Interceptum services are used by end-users or remote systems using our Web Services and APIs. All connections are encrypted using Transport Layer Security (TLS) encryption (also known as HTTPS or SSL) with strong encryption and SSL certificates with 2048 bit keys. We regularly patch our servers when vulnerabilities related to TSL/SSL connections are disclosed. See the SSL report for more information on the specifics of our SSL installation. (https://www.ssllabs.com/ssltest/analyze.html?d=Interceptum.com)
Internet Protocol (IP) Address Based Access Controls
Access to the Interceptum services for individual client accounts can be limited to only certain IP address ranges or they can be denied for certain IP address ranges. Contact support for more information on how this can be enabled for your account.
Software development security
Security Best Practices
The Acquiro Systems software engineering team always follows the best practices to implement strong security and privacy controls in the Interceptum services. We follow all recommendations from the Open Web Application Security Project (see https://www.owasp.org).
Before any code is deployed on operational servers, the code changes go through a rigorous peer review process to ensure that security best practices have been followed. The code reviews check for things like SQL Injection vulnerabilities, Cross-Site Scripting (XSS) vulnerabilities, etc.
Quality Assurance Testing
In addition to code reviews, any code changes go through a thorough internal quality assurance testing process.
Acquiro Systems maintains a policy of full event disclosure for security incidents that affect client data. In the event of any security incident affecting your data, a notification will be sent to your account administrator.
Human Resources Security
Acquiro Systems has background checks performed on all employees at the time of hire (to the extent permitted by law), and requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. Acquiro policies prohibit employees from using confidential information (including client data) other than for legitimate business purposes, such as providing technical support, and this obligation continues after their employment ends.
An employee's or contractor's failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with Acquiro.
Terms of Employment
Acquiro Systems operates an onboarding process including at a minimum the following steps:
General information security training is provided to all new employees (both full time and temporary) as part of their onboarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding.
Development and SaaS Operations staff receives further training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.
Termination of Employment
Acquiro Systems maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of any and all Acquiro Systems and Client assets, disables or adjusts access rights, and reminds ex-employees and ex-contractors of their remaining employment restrictions and contractual obligations. All accesses (logical and physical) are terminated on or before the termination date.