Security Policies

VNATNA strongly believes that security is paramount and should not be compromised in any way.

VNTANA only collects name and email personal information for account creation purposes only. VNTANA has appropriate technical and organizational measures in place to protect your information. We will handle and protect your information in line with these data protection principles.

Any third parties that come in contact with or handle sensitive information on behalf of VNTANA have agreed to take the same level of care as the terms of this policy, as stated in a signed Data Protection Agreement.

These third parties that have Data Protection Agreements with VNTANA are assessed periodically for compliance to the terms of the agreement.

VNTANA supports Subject Access Requests. The process for submitting a Subject Access Request is submitted to your organization by email.

VNTANA’s backup policies and procedures outline the different critical resources that are automatically backed-up. All production data is  backed up automatically twice a day onto a separate infrastructure, and application-level exports are performed on our various tools and databases.

 

All infrastructure configurations including the CI and CD Pipelines are written in the code. Actual platform configuration code is stored in the Bitbucket code repository under the VNTANA account. All cloud tool credentials are available in the Password manager of VNTANA. This allows recovery of all compute instances by rebuilding the instance based on VNTANA’s configuration management automation.

VNTANA’s systems are designed to support a recovery point objective (RPO) of 0 hours (that is, the ability to restore to any version of any object as it existed in the prior 30-day period).

 

VNTANA's Disaster Recovery Plan is designed to ensure the continuation of vital business processes in the event of a disaster and supports a 12-hour recovery time objective (RTO). The DRP is exercised once a year to measure recovery effectiveness.

 

VNTANA performs periodic web application vulnerability assessments, static code analysis, and external dynamic assessments as part of its continuous monitoring program to help ensure application security controls are properly applied and operating effectively.

 

On a semi-annual basis, VNTANA hires independent third-party penetration testers to perform both network and web vulnerability assessments. The scope of these external audits includes compliance against the Open Web Application Security Project (OWASP) Top 10 Web Vulnerabilities (www.owasp.org).

 

Vulnerability assessment results are incorporated into VNTANA’s software development lifecycle (SDLC) to remediate identified vulnerabilities. Specific vulnerabilities are prioritized and entered into VNTANA’s internal ticket system for tracking through resolution.

 

In the event of a potential security breach, the VNTANA Incident Response Team will perform an assessment of the situation and develop appropriate mitigation strategies. If a potential breach is confirmed, VNTANA will immediately act to mitigate the breach and preserve forensic evidence and will notify impacted customers’ primary points of contact without undue delay to brief them on the situation and provide resolution status updates.

VNTANA offers the following options for encryption of data at rest:

  • Data is encrypted using AES-256 server-side encryption via a key management system validated under FIPS 140-2.
  • Encryption keys are rotated no less than every two years.

 

For data in transit, traffic between VNTANA and any 3rd party is sent over HTTPS utilizing TLS 1.2+

VNTANA systems and networks are monitoring for security incidents, system health, network abnormalities, and availability.


An intrusion detection system (IDS) is used to monitor network activity and alert VNTANA of suspicious behavior.


Web application firewalls (WAFs) are used for all public web services.


VNTANA logs application, network, user, and operating system events to a local syslog server and a region-specific SIEM. These logs are automatically analyzed and reviewed for suspicious activity and threats. Any anomalies are escalated as appropriate.


VNTANA’s incident response team monitors the security channels and responds according to the company’s Incident Response Plan (IRP) when appropriate.


VNTANA instances and storage are hosted on Google Cloud Platform (GCP) in the USA.


GCP is a top-tier, secure facility that holds the following accreditations: SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2, and more. The data centers are protected by the strictest security controls and physical access to the servers is restricted to authorized personnel only.


VNTANA’s services run on our own VPC (Virtual Private Cloud) inside GCP in order to further isolate our networks in accordance with network and security best practices.


Customer access is performed only via HTTPS (TLS1.2+), establishing the encryption of the data in transit between the end-user and the application.

 

Customer administrators can provision and deprovision users and associated access as necessary.

VNTANA has Role-based access controls to enable customers to manage multi-org permissions.

 

Access to VNTANA services can be restricted by source IP address.

 

Linux sandboxing is used to isolate customer accounts’ data during processing, helping to ensure that any anomaly (for example, due to a security issue or a software bug) remains confined to a single VNTANA account.


Tenant data access is controlled through unique IAM users with data tagging that disallows unauthorized users from accessing the tenant data.

VNTANA has a dedicated security team with many years of combined multi-faceted information security experience.

VNTANA performs criminal background checks of its personnel who may have access to customers’ data, based on the employee’s jurisdictions of residence during the prior seven years, subject to applicable law.