Our platform’s authentication is based on Auth0 technology (an Okta company). We support the integration of external identity providers if you would like to connect Alasco to your company-internal workplace IDP.
We can provide this upon request.
Our application is hosted on AWS in EU regions, subject and compliant to EU-GDPR regulations.
As for data in transit, it is industry standard to rely on TLS with strong ciphers for encryption. So do we at Alasco for incoming HTTP traffic and connections between internal services.
For persistent storage, our application is hosted on AWS and we rely on several AWS-native storage mechanisms (RDS, S3, SNS, SQS). Whenever possible, we activate and utilise AWS-native encryption mechanisms. RDS as an example is encrypting data with cryptographic keys that are stored in AWS KMS. AES-256 is used to encrypt RDS storage, backups, read replicas, snapshots and so on.
Our general design principles are based on zero-trust and need-to-know principles. As such, only dedicated client account managers require such access. In addition, our technology department, who runs the platform, has access to the underlying infrastructure and databases.
Governance, Risk, Compliance
Yes. Our Security Team takes care of the company’s security program, annual targets, design principles, architecture decisions and so on. You find a lot of related information in our Security & Trust Center on our website under https://security.alasco.de
Keeping our customer’s data safe is of utmost priority to us and we continue to invest in best-in-class tooling to deliver on this promise.
Yes. Specifically, we adhere as much as we can to the following standards:
SOC2 Type II
CIS AWS 1.4.0
NIST 800-171 Rev2
AWS Well Architected
Attestation and benchmarks for select scopes can be provided upon request.
We select our service providers with security and compliance in mind. As such, key parties in our provider ecosystem are 100% compliant with industry security standards such as SOC2 Type II or ISO 27001. Alasco regularly evaluates suppliers in a prioritized fashion according to these requirements.
Alasco itself has not undergone an audit with certified attestation just yet. Our security framework goes much beyond what industry standards are demanding, however based on our customer’s feedback, investing in the time consuming process of annual audits and maintaining compliance has not proven to be practically necessary until today.
Yes. We conduct different forms of testing in cycles.
Most importantly, we run a state-of-the-art, 24/7 vulnerability reward program to detect potential issues as early as possible. Further, we conduct penetration tests and inside-out security audits multiple times per year.