Table of contents

Data Protection Measures

Protecting your data is our top priority. Below you find all security features included in the Safeture Platform to assure best-in-class protection.

Product security & reliability

SAML SSO, IP Whitelisting, audit and change logs, RBAC, customer separation, and many other security features are included in Safeture to assure best-in-class protection.

SSO

Safeture supports SAML Single Sign-on (SSO), which enables administrators to control who has access to Safeture using their existing identity provider/SSO solution, such as Azure Active Directory, OneLogin, Okta, G Suite, and others.

Role-Based Access Controls

Role-based access controls governs data access within the Safeture application (RBAC). Users can be assignedd to permission levels in Safeture (end users, local admins, super admins, country admins).Password and Credential Storage

Safeture uses the PBKDF2 (Password-Based Key Derivation Function 2) function to generate password hashes and enforces a complex password standard (minimum 10 letters, at least one capital letter, at least one lower case letter, and at least one number). This only applies to clients who do not have SSO enabled. Password hashes are not stored in the Safeture database for customers that use SSO.

IP Whitelisting

Safeture can be configured to only allow access from designated IP address ranges.

Two-factor Authentication

Two-factor authentication is enabled by default and is enforced on administrators unless SSO is enabled. The 2FA-code can be provided to the Safeture Mobile App through push notifications, by e-mail and/or by SMS (default).

Hosting Security

Safeture’s security and availability architecture is based on ISO/IEC 27002:2013 controls, ensuring best-practice protection policies are implemented in accordance with industry standards.Physical Security & Data Hosting

Safeture uses Fortlax and AddPro data centers, both of which are ISO/IEC 27001:2013 certified. The data and services are hosted in Sweden and are not subject to the US Cloud Act.

Dedicated Security Team

Safeture’s security team is on call 24/7 to respond to security events and incidents.

Intrusion Detection and Prevention

Safeture has designed multiple layers of security monitoring to detect anomalous behavior. Where behaviors are detected outside the accepted scope, the 24/7 on-duty security team starts investigating and takes the appropriate action.

Logical Access

Access to the Safeture production environment is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited, continuously monitored, and is controlled by our Operations Team. A restricted group DevOps personnel has access to the Safeture production environment and are required to use multiple factors of authentication.

Failover and DR

Safeture was built with disaster recovery in mind. All infrastructure and data are spread across the two data centers and will continue to operate, should any one of those data centers fail.

Virtual Data Centres

All Safeture servers are within our own virtual data centres (VCenter) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Back Ups and Monitoring

On an application level, Safeture produces audit logs for all internal and customer admin activities, ships logs to a central Graylog for analysis, and uses the hosting provider’s back up soloution for archive purposes. All actions taken on production consoles or in the Safeture application are logged.

Permissions and Authentication

Access to customer data is limited to authorized privileged employees who require it for their role responsibilities. Safeture runs a zero-trust corporate network. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on all hosting services to ensure protected access.

Encryption

All data sent to or from Safeture is encrypted in transit using HTTPS/TLS1.2+. Our API and application endpoints are minimum TLS1.2 and score an “A+” rating on Qualys SSL Labs‘ tests. This ensures we only use strong and correct cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Pentests & Vulnerability Scanning

Twice a year we engage alternating independent third-party security experts to perform detailed penetration tests on the Safeture application and network, and full source code reviews. Customers are also welcome to perform their own indenpendant penetration tests.

Security Incident Response

In case of a system alert, events are escalated to Safeture’s 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths. All incidents are logged according to the incident management policy.

Application Security

Safeture practices extensive processes and controls to ensure application security. All Safeture engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.

Secure Software Development Lifecycle (SSDLC)

At least annually, engineers participate in secure software training covering OWASP Top 10 security risks, common attack vectors, and Safeture security controls. All developers are required to follow the SSDLC.

Framework Security Controls

Safeture leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance

Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments

Testing and staging environments are logically and physically separated from the Production environment. No customer data is used in our development or test environments.

HR Security

At Safeture we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple organizational controls.Security Organization

CEOChief Executive Officer
CSOChief Security Officer
DPOData Protection Officer
CTOChief Technology Officer
CIOChief Information Officer
Q&RQuality and Regulatory Functions
SSGInformation Security Steering Group

Asset Management and Risk Assesment

All critical assets have an appointed asset and risk owner and are continiously evaluated in accordance with ISO/IEC 27005:2018.

Development and Operations Team

All DevOps employees are located in Sweden and the whole solution is developed in-house. DevOps employees are always trained on the latest security threats.

Training

All employees complete Security and Awareness training atleast annually and as part of the employee onboarding.

Policies

Safeture has developed a comprehensive set of security policies based on the ISO/IEC 27002:2013 framework. These policies are updated frequently and communicated to all employees. All employees are also required to sign an NDA and an ethics policy that governs the code of conduct.

Employee Screening

Safeture performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks, credit checks, deeper historical references and education verification.

Compliance

Safeture has built its Information Security Management System based on the ISO/IEC 27002:2013 controls to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.

ISO/IEC 27001:2013 certification

Safeture’s hosting providers are ISO/IEC 27001:2013 certified.

Privacy & Data Protection

Privacy Policy

Privacy policy (Section 4)

Data Processing Agreement

Data Processing Agreement (Section 2)

GDPR and CCPA

Safeture is fully GDPR and CCPA compliant.

Sub Processors

The official list of sub processors can be found here.

End User Privacy

End users are in full control of their location privacy via the landing page of the app.

Legal Resources

For information on Safeture’s legal and privacy terms, please visit Safeture Terms of Service.