Information security

Certification

Xpertdoc – An Experlogix Brand (“Xpertdoc”) complies with the ISO/IEC 27001:2013 rigorous certification requirements. This international standard provides guidance, methodology and processes to attain compliance in data protection, privacy and IT governance. For more information, please visit: https://www.iso.org/isoiec-27001-information-security.html.

Physical Security

Xpertdoc data centers run on the Microsoft Azure infrastructure. Azure provides a secure foundation across physical, infrastructure and operational security:

• Microsoft-managed networks and customer networks are isolated in Azure to improve performance and ensure the traffic moving through the platform is secure.
• Security controls are integrated within the firmware and hardware of Azure to ensure that the platform is secure by default and continues to be secure throughout its lifetime.
• Microsoft has thousands of cyber security experts who work 24/7/365. Microsoft’s scale of investments in infrastructure, hardware and experts are unparalleled. Microsoft provides a secure infrastructure for Xpertdoc data centers, which are composed of segregated networks, well-maintained hardware and firmware, and industry-leading operational security processes.

For more information, please visit: https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security.

Xpertdoc Infrastructure

Xpertdoc services are regionally hosted in the Microsoft Azure public cloud. These services are located closest to our customers, with current sites available in the USA, the Netherlands, UK, and Canada. This flexibility in deployment ensures that Xpertdoc meets its customers’ compliance requirements. In each region, multiple geographically dispersed Azure data centers are mirrored with each other for fault tolerance and business continuity.

Microsoft Azure complies with the EU-U.S. Privacy Shield and EU Model Clauses, and is certified Cloud Security Alliance STAR at the Gold level. Microsoft is compliant with the ISO 27001 certification requirements and its cloud services are implemented following the ISO 27017 code of practice. SOC certification and other compliance offerings can be found via https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings.

GDPR Compliance

The General Data Protection Regulation 2016/679  (GDPR) is the regulation of the European Union law that sets the guidelines for the protection and privacy of individuals that reside in the European Union. At Xpertdoc, we continuously review the requirements of the GDPR to meet regulations regarding the lawful transfer of EU data. For more information, please visit: https://gdpr-info.eu/.

Availability

Xpertdoc maintains geographically diverse data centers and leverages the high availability architecture of Microsoft Azure, where possible. Database uptime leverages Microsoft’s clustering technologies; Xpertdoc’s SaaS offering can be complemented with load balancing of the application server (optional).  Our systems are protected by scheduled backups (minimum daily), while our databases are protected by real-time backups allowing restore to any point in time, up to the millisecond, within a database’s retention period. All backups are encrypted.

System Alerts and Monitoring

At Xpertdoc, we constinuously monitor application servers and infrastructure, with a response team on call 24/7/365. Escalation channels are in place to ensure prompt response and quick resolution times. Critical alerts generated by these systems are sent to on-call team members and escalated appropriately to Operations and IT Management.

Storage

Xpertdoc stores customer data and document data such as metadata, activity and original files, in different locations. Documents can come from external systems or be dynamically generated through the Xpertdoc software. All data stored within our software is encrypted at rest using 256-bit Advanced Encryption Standard (AES). Data in flight is served through HTTPS, leveraging TLS encryption.

Account Provisioning and Access Control

The Xpertdoc software supports authentication of native and external users. For native users, account passwords are stored in the database as a one-way hash, with roles assigned directly within the software. External users can benefit from Single Sign-On (SSO) authentication with support of OAuth2/SAML sources, which is usually the recommended approach to facilitate user management and increase security as OAuth2/SAML relies on existing role management in the customer’s source application.

Coding and Testing Practices

Xpertdoc employs industry standard programming techniques such as having documented development and quality assurance processes (SDLC). Our multi-phase process validates the quality of the code that goes into production. The code must be reviewed by different parties before being tested by a dedicated quality-assurance team; then, the code is integrated with the final product. We also follow guidelines such as the NIST and OWASP reports, to ensure our applications meet security standards.

Firewalls and Intrusion Prevention

Xpertdoc operates secure data networks protected by industry standard firewall and password protection systems. We use firewalls as one component of a layered approach to application infrastructure security. To control access and allow only authorized traffic to the Xpertdoc infrastructure, both internally- and externally-managed firewalls are used. In addition, any traffic that is not in compliance with Xpertdoc’s security guidelines is discarded at the Internet boundary.

Anti-virus and Malware Controls

Xpertdoc leverages best-in-class tools to monitor and block viruses and malware behavior. This includes cloud-based protection against emerging threats.