Security
OrcaSmart delivers Software as a Service (SaaS) solutions to a global clientele, addressing their diverse business challenges. Central to our value proposition is an unwavering commitment to security, which is deeply embedded in our personnel, methodologies, and product suite. This page delves into areas such as data protection, operational safeguards, and infrastructural security, detailing our comprehensive approach to ensuring our customers' peace of mind.
Overview
At OrcaSmart, we recognize that security isn't just a feature; it's a necessity. Our security approach is multifaceted, ensuring that every angle of potential vulnerability is addressed. Here's a breakdown of the core components of our security strategy:
Data Protection:
Customer data is encrypted, both in transit and at rest using strong encryption standards. When data is in motion, we apply Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol. When data is at rest, we apply encryption using 256-bit Advanced Encryption Standard (AES). We own and maintain the keys using our in-house Key Management Service (KMS).
Operational Security:
We have adopted industry best practices in the design of our solution and have standardized our processes to protect against threats. This includes regular security audits, vulnerability assessments, penetration tests and patch management.
Physical Security:
We do not have any local data centers as all of our data and processing is performed by a cloud provider. The access to the cloud is secured through multifactor authentication access as controlled and designed by the cloud service provider.
Employee Training:
Each and every employee signs a confidentiality agreement and an acceptable use policy., We mandate that each employee completes initial information security training and periodic training that is designed to focus on emerging threats.
Network Security:
Our network security is designed to provide multiple layers of protection and defense. We have implemented firewalls, intrusion detection systems, and DDoS protection to safeguard our network from potential threats.
Application Security:
We have introduced into our process the secure development life cycle. We develop our code in a segregated development environment. Once ready it is moved into the Quality Control and Review segregated environment. Once the code is reviewed and approved it is ready to be moved into production. Only technologists who do not work in Development or Quality control can move code into production. Prior to any code being moved onto production, the present code in production is copied and saved. This is in case the new production code develops a bug we can pull it out of production and send it back to development while inserting the previous code. The production code is regularly updated and tested to identify and rectify vulnerabilities.
Incident Response:
​Having a clear and established protocol in case of security breaches. This ensures swift action, minimal damage, and transparent communication with stakeholders. We have a policy in place that should a breach of our security protocols were to happen, that as soon as we are aware of the situation that will immediately notify all of customers and partners.
Vendor and Third-party Management:
We only select vendors and third-party service providers who have established security protocols in place that meet our defined exceptions.
Customer Control:
We require that our customers adhere to our password security requirements. This requires that our customers use a unique strong password and protect it. We require that users use the latest browser versions, mobile OS to ensure that they are patched against vulnerabilities.
Compliance:
Ensuring our practices and processes adhere to global security standards and regulations.
Through these components, we strive to create a security ecosystem that not only protects our services but also instills confidence in our users, letting them focus on what's essential - growing their business.