Trust & Security

SAI360 delivers Integrated Risk Management (IRM) solutions that are scalable, secure, reliable and redundant. We deploy SaaS applications architected with the highest compliance and up-time standards. Our hosting is fully virtualized, engineered for redundancy and reliability, avoiding any single point of failure.

Security and Compliance

• Detailed and continuous vulnerability scanning, virus scanning and intrusion prevention
• All systems are housed in ISO27001 certified data centers owned and managed by global leaders
• All systems are operated and managed by the SAI360 hosting service which is ISO27001:2013 certified globally
• SOC2 Type 2 report (SSAE18)*
• Independent Practitioner’s Report on the information security program for the Integrated Risk Management solutions (SAI360) system related to HIPAA and HITECH

*The 2018 SOC2 examination scope was on the SAI360 Integrated Risk Management platform as hosted in the Americas. The July 2019 examination scope has been extended to include the SAI360 Integrated Risk platforms hosted in the Australia and the UK data centers, and operation in AWS (Germany). The 2019 reports will also expand to include the SOC1 Type 2 (SSAE2018) and ISAE3402 reports.

Data Centers

SAI360 runs its applications in regionalized data centers, including Sydney, Atlanta, and Milton Keynes. The key tenets of our data centers are:

• Data center service provider is responsible for physical and environmental security of our systems
• ISO 27001 Certified co-location centers
• 24×7 guarded
• Access to systems is limited to SAI360 hosting services personnel

Data Storage, Backup and Recovery

SAI360 has implemented secured onsite and offsite backups to ensure a seamless experience for your critical risk management systems.

• Customer data is stored on an enterprise storage array providing maximum performance, protection and data integrity, and in APAC & Americas, storage encryption.
• Offsite disaster recovery replication in real-time, with RPO of one hour and RTO of four hours.
• Daily data backups are replicated over our private network to the DR site under SAI360 control at all times.
• We keep 28 days of full database back-ups onsite, and 12 months offsite.

Network Security

SAI360 segments sensitive production servers and data behind a state of the art firewall.

• SAI360 uses restrictive firewall policies for perimeter defense and a 3 tiered architecture which provides multiple segregated security zones for maximum data protection, from external, or internal attacks.
• We monitor production systems and network components, including internal system performance metrics, database health.
• We commission trusted third parties to undertake regular external network and web application penetration tests.
• We undertake weekly internal vulnerability scans of all systems and infrastructure, with annual network and web application pen tests.

Application Security and Authentication

SAI360 provides extensive self-service control to each of our customers and has applied strong security measures by default.

• Passwords are encrypted using SHA 256 hashing algorithm. Data encryption at rest is defined per application and per customer requirements; when used, encrypted data will use AES256 bit as a minimum.
• The application is entirely rights and role-driven; users only see what they have been given permission to see.
• The application supports Single Sign-On (SSO), which requires users to be authenticated via their identity provider using the SAML 2.0 or Shibboleth protocols.
• All data access occurs through the application via HTTPS (TLS l.2); direct access to the database is never afforded.
• If not using SSO, password attributes are configurable by each customer including password complexity, password history and password reuse, failed login attempt count and lockout time, and challenge questions.
• Application access can be limited to one or more ranges of IP addresses.

Integrations

SAI360 provides several methods of integration with third party applications using web services and data integration tools. Local applications can also be integrated with SAI360’s solutions. Third-party integration consulting is available.