Security at SupportSync

Our approach to security is centered on protecting the confidentiality, integrity, and availability of data.

Physical Security – Data Centers

SupportSync is hosted in Rackspace data centers. By using a shared responsibility model, SupportSync inherits physical access controls, redundancy of network, system and power, fire suppression and security of data backups from Rackspace.

Rackspace engages auditors to perform examinations of its systems in accordance with the recommendations of ISO 27001, SSAE 18, AT 101 and equivalent industry standards. PCI-DSS Service Provider, or equivalent, accreditation is maintained with regards to dedicated hosting Services.

The data center is staffed 24/7/365 and monitored by video surveillance, recording to a centralized location, and viewed by the onsite security force.

Background screening of employees who have access to hosted accounts is carried out by Rackspace, and breaches of security of hosted data that Rackspace becomes aware of are reported promptly.

Learn more about Rackspace

Network & System Security

SupportSync prevents direct access to resources from the public internet by using a Cisco ASA 5508-X firewall with SSD. Cisco Defense Orchestrator and Rackspace monitoring help detect malicious activity. Our team is alerted to unsuccessful log-on attempts, malicious URLs and other activity, and we routinely add IPs to our block list.

All data transmitted to and from the SupportSync platform is protected using 256-bit TLS encryption. Key customer data is encrypted at rest, and backups are encrypted. We scan uploaded files for viruses using Sophos Endpoint Security.

Patches are applied promptly to Operating System and infrastructure as they become available.

Backups are geo-redundant, replicated across multiple locations for data durability.

Resiliency and Availability

SupportSync leverages the reliability features of our Rackspace-hosted infrastructure such as encrypted backups, RAID, 1-hour system replacement to ensure the availability of our service.

We regularly review and rehearse business continuity and disaster recovery plans are regularly reviewed and rehearsed.

Off-premises data backup is conducted so that drives are not permanently connected to the devices they backup, guarding against ransomware attacks.

Email Security

By default, SupportSync signs every email using the Domain Keys Identified Mail (DKIM) standard. The signatures can be used to verify messages are legitimate and have not been modified by a third party in transit.

Additionally, we require that clients adhere to the Sender Policy Framework (SPF) if they choose to use their own email notification address, assuring that email can only be sent from IP addresses that are published in our SPF record.

Application Security

All access to the application is logged, including HTTP protocol, remote IP address, remote host, timestamp, resource accessed and additional parameters.

Users are locked out of their account after five failed attempts. We plan to offer Two-factor authentication in the future.

Access Control Policy

This policy outlines rules for authorizing, monitoring, and controlling access to SupportSync accounts, information, and systems.

SupportSync provides access to information, accounts, systems, and resources based on the principle of least privilege. This principle states that users should be given only those privileges needed for them to complete their task.

Compliance with this policy enables administration and technical support staff to conduct their activities within the framework of the law, while minimizing exposure to security breaches.

Responsibilities:
  • All personnel (employees, contractors, vendors and third parties) at SupportSync must abide by relevant Information Security and Access Control policies and procedures.
  • All account holders must secure their credentials and be responsible for the systems, services, and data within their control.
  • Access administrators must only sponsor access requests that are valid, ensuring adequate and appropriate justification based on the requester's business need.

Account Types:
Provisioning of accounts and their privileges across SupportSync systems and applications must conform to the following requirements.
  • Privileged Accounts: Administrator and other privileged accounts shall be created only where needed to manage the system.
  • Individual User Accounts: Each user account will be assigned one or more roles based on the user's access requirements. Account access should be revoked within 24 hours of a user's departure, with the account being suspended or deleted, as necessary. Notice to the account administrator should be initiated as part of the termination process.
  • Temporary Accounts: Temporary accounts will need to be created occasionally to allow work by contractors or auditors. These shall be created using the role-based access control method used for all individual accounts. Temporary Accounts will be deactivated upon the expiration date or the date of departure of the contractor or auditor, whichever occurs first.

Authentication Controls:
All account, service and platform access are managed through secure authentication controls. To ensure consistent compliance with security rules, access rights to customer data and other sensitive data will be based on the functional roles of staff, contractors, and other users of the SupportSync IT infrastructure, applications, and data.

Each user shall be granted access using a unique ID or account based on:
  • Least Privilege: Users will only be granted access to customer data for the purpose of executing their responsibilities and duties. Right to access customer data shall not be granted unless there is a legitimate business or legal need.
  • Segregation of Duties: Users should not be able to grant themselves rights.
  • Role-Based Access: Users will be assigned access rights to customer data based on functional roles they assume in using SupportSync.
Any person who does not meet one of these conditions shall be prohibited from access. These controls include alerts, regular log inspection, separation of duties and lockouts.

Any changes to access privileges and roles must be actively managed and documented. Deactivation or termination of an account must immediately remove all access to customer information.

Access in Special Circumstances:
There are special circumstances where extra or privileged access is needed. For all cases, access to an account, the information contained within or information pertaining to the activity of an account is carefully restricted and must only be carried out with the appropriate authorization and safeguards in place.

The Information Security team may access accounts and user data when required, such as:
  • To detect and prevent crime or a request from law enforcement authorities.
  • System security protection: Virus, malware, hacking and other malicious activity prevention.
  • Investigations into misuse, abuse, or other illegal activity.
  • Medically Incapacitated or Deceased User
Emergency access shall only be used during emergencies and the testing of emergency operations. Emergency access will be removed as soon as it is no longer needed.

Removal or Adjustment of Access Rights:
The access rights of all employees and other users will be removed upon termination of their employment, contract, or agreement, or adjusted upon change.

Additional access to accounts, assets, systems, or services are subject to review and approval on a case-by-case basis.

Reporting an Issue

SupportSync takes security seriously. If you believe you've found a security issue, or have any concerns or questions regarding SupportSync security, please contact us.

Contact Us

© 2018 SupportSync, Inc. - Smarter returns, happier customers
LinkedIn Twitter
Capterra Software Reviews