Data Protection Measures
Product security & reliability
SAML SSO, IP Whitelisting, audit and change logs, RBAC, customer separation, and many other security features are included in Safeture to assure best-in-class protection.
Safeture supports SAML Single Sign-on (SSO), which enables administrators to control who has access to Safeture using their existing identity provider/SSO solution, such as Azure Active Directory, OneLogin, Okta, G Suite, and others.
Role-Based Access Controls
Role-based access controls govern data access within the Safeture application (RBAC). Users can be assigned to permission levels in Safeture (end-users, local admins, super admins, country admins). Password and Credential Storage
Safeture uses the PBKDF2 (Password-Based Key Derivation Function 2) function to generate password hashes and enforces a complex password standard (minimum of 10 letters, at least one capital letter, at least one lower case letter, and at least one number). This only applies to clients who do not have SSO enabled. Password hashes are not stored in the Safeture database for customers that use SSO.
Safeture can be configured to only allow access from designated IP address ranges.
Two-factor authentication is enabled by default and is enforced on administrators unless SSO is enabled. The 2FA-code can be provided to the Safeture Mobile App through push notifications, by e-mail and/or by SMS (default).
Safeture’s security and availability architecture is based on ISO/IEC 27002:2013 controls, ensuring best-practice protection policies are implemented in accordance with industry standards. Physical Security & Data Hosting
Safeture uses Fortlax and AddPro data centers, both of which are ISO/IEC 27001:2013 certified. The data and services are hosted in Sweden and are not subject to the US Cloud Act.
Dedicated Security Team
Safeture’s security team is on call 24/7 to respond to security events and incidents.
Intrusion Detection and Prevention
Safeture has designed multiple layers of security monitoring to detect anomalous behavior. Where behaviors are detected outside the accepted scope, the 24/7 on-duty security team starts investigating and takes the appropriate action.
Access to the Safeture production environment is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited, continuously monitored, and is controlled by our Operations Team. A restricted group of DevOps personnel has access to the Safeture production environment and they are required to use multiple factors of authentication.
Failover and DR
Safeture was built with disaster recovery in mind. All infrastructure and data are spread across the two data centers and will continue to operate, should any one of those data centers fail.
Virtual Data Centres
All Safeture servers are within our own virtual data centers (VCenter) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.
Back Ups and Monitoring
On an application level, Safeture produces audit logs for all internal and customer admin activities, ships logs to a central Graylog for analysis, and uses the hosting provider’s backup solution for archive purposes. All actions taken on production consoles or in the Safeture application are logged.
Permissions and Authentication
Access to customer data is limited to authorized privileged employees who require it for their role responsibilities. Safeture runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on all hosting services to ensure protected access.
All data sent to or from Safeture is encrypted in transit using HTTPS/TLS1.2+. Our API and application endpoints are minimum TLS1.2 and score an “A+” rating on Qualys SSL Labs‘ tests. This ensures we only use strong and correct cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Pentests & Vulnerability Scanning
Annually, we engage alternating independent third-party security experts to perform detailed penetration tests on the Safeture application and network, and full source code reviews. Customers are also welcome to perform their own independent penetration tests.
Security Incident Response
In case of a system alert, events are escalated to Safeture’s 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. All incidents are logged according to the incident management policy.
Safeture practices extensive processes and controls to ensure application security. All Safeture engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.
Secure Software Development Lifecycle (SSDLC)
At least annually, engineers participate in secure software training covering OWASP Top 10 security risks, common attack vectors, and Safeture security controls. All developers are required to follow the SSDLC.
Framework Security Controls
Safeture leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically and physically separated from the Production environment. No customer data is used in our development or test environments.
At Safeture we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple organizational controls. Security Organization
|CEO||Chief Executive Officer|
|CSO||Chief Security Officer|
|DPO||Data Protection Officer|
|CTO||Chief Technology Officer|
|CIO||Chief Information Officer|
|Q&R||Quality and Regulatory Functions|
|SSG||Information Security Steering Group|
Asset Management and Risk Assesment
All critical assets have an appointed asset and risk owner and are continuously evaluated in accordance with ISO/IEC 27005:2018.
Development and Operations Team
All DevOps employees are located in Sweden and the whole solution is developed in-house. DevOps employees are always trained on the latest security threats.
All employees complete Security and Awareness training at least annually and as part of the employee onboarding.
Safeture has developed a comprehensive set of security policies based on the ISO/IEC 27002:2013 framework. These policies are updated frequently and communicated to all employees. All employees are also required to sign an NDA and an ethics policy that governs the code of conduct.
Safeture performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.
Safeture has built its Information Security Management System based on the ISO/IEC 27002:2013 controls to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal, and state regulations, as well as industry standards.
ISO/IEC 27001:2013 certification
Safeture’s hosting providers are ISO/IEC 27001:2013 certified.
Privacy & Data Protection
Data Processing Agreement
GDPR and CCPA
Safeture is fully GDPR and CCPA compliant.
The official list of sub processors can be found here.
End User Privacy
End users are in full control of their location privacy via the landing page of the app.
For information on Safeture’s legal and privacy terms, please visit Safeture Terms of Service.