FAQ

Product Security

How does Alasco ensure login security and secure user access management?

Our platform’s authentication is based on Auth0 technology (an Okta company). We support the integration of external identity providers if you would like to connect Alasco to your company-internal workplace IDP.

Does Alasco's platform authentication support MFA?

Yes.

Can user activity or audit trails be exported for access transparency?

We can provide this upon request.

Data Security

Where does Alasco process or store customer data?

Our application is hosted on AWS in EU regions, subject and compliant to EU-GDPR regulations.

Does Alasco encrypt my data in transit and at rest?

As for data in transit, it is industry standard to rely on TLS with strong ciphers for encryption. So do we at Alasco for incoming HTTP traffic and connections between internal services.

For persistent storage, our application is hosted on AWS and we rely on several AWS-native storage mechanisms (RDS, S3, SNS, SQS). Whenever possible, we activate and utilise AWS-native encryption mechanisms. RDS as an example is encrypting data with cryptographic keys that are stored in AWS KMS. AES-256 is used to encrypt RDS storage, backups, read replicas, snapshots and so on.

Who has access to the data that Alasco is managing?

Our general design principles are based on zero-trust and need-to-know principles. As such, only dedicated client account managers require such access. In addition, our technology department, who runs the platform, has access to the underlying infrastructure and databases.

Governance, Risk, Compliance

Does Alasco have an Information Security Program?

Yes. Our Security Team takes care of the company’s security program, annual targets, design principles, architecture decisions and so on. You find a lot of related information in our Security & Trust Center on our website under https://security.alasco.de

Keeping our customer’s data safe is of utmost priority to us and we continue to invest in best-in-class tooling to deliver on this promise.

Is Alasco's Security Program aligned with industry standards?

Yes. Specifically, we adhere as much as we can to the following standards:

SOC2 Type II

ISO 27001

CIS AWS 1.4.0

NIST 800-171 Rev2

AWS Well Architected

Attestation and benchmarks for select scopes can be provided upon request.

Does Alasco hold any 3rd party compliance attestations for security?

We select our service providers with security and compliance in mind. As such, key parties in our provider ecosystem are 100% compliant with industry security standards such as SOC2 Type II or ISO 27001. Alasco regularly evaluates suppliers in a prioritized fashion according to these requirements.

Alasco itself has not undergone an audit with certified attestation just yet. Our security framework goes much beyond what industry standards are demanding, however based on our customer’s feedback, investing in the time consuming process of annual audits and maintaining compliance has not proven to be practically necessary until today.

Does Alasco regularly undergo penetration testing by a 3rd party firm?

Yes. We conduct different forms of testing in cycles.

Most importantly, we run a state-of-the-art, 24/7 vulnerability reward program to detect potential issues as early as possible. Further, we conduct penetration tests and inside-out security audits multiple times per year.