Your data is our responsibility
Our Security & Trust center provides you with the latest information regarding technical security and data privacy.
Our Security & Trust center provides you with the latest information regarding technical security and data privacy.
Secure access management is a key cornerstone in any tech-enabled business. Using a SASE-architecture, we validate and authenticate at every key decision point in a context-based fashion (considering the user’s device, its state, location etc).
People can be the weakest link, but they can also turn into a strong point. This is how we look at it within Alasco. Our teams undergo a dedicated security onboarding, where we create awareness around key threat scenarios that are important for our company.
To secure data during day to day work, we rely on a strong foundation. Alasco uses Google Workspace (Enterprise), end-to-end encrypted communication channels and more dedicated solutions, in order to ensure data is safe at any point in time.
In order to enhance the security posture of our AWS environment further, our teams have deployed dedicated security tooling that runs continuous security checks. Namely Cloud Security Posture Management (CSPM) and Cloud Infrastructure & Entitlement Management (CIEM) solutions.
In addition to leveraging serverless concepts such as AWS Fargate as much as possible, we deploy safeguards in every runtime that we are managing. This includes Endpoint Detection & Response (EDR) and Vulnerability Management (VM) solutions to monitor for indicators of compromise in our environment.
Taking the attacker's viewpoint is an important (and high-leverage) strategic weapon against attacks. At Alasco, we aim to tightly control our external attack surface to minimize entry points that attackers can exploit.
Alasco’s infrastructure perimeter is protected through Cloudflare’s edge network and connected Web Application and API Protection (WAAP) capabilities. This added layer of security protects against 0day exploits, volumetric attacks and more.
Alasco’s EU-based data hosting is among the key infrastructure design decisions that was made early on. AWS is an explicit part of our security model, providing Alasco with state-of-the-art technology, safeguards and compliance to industry standards.
Alasco leverages stringent data segregation principles. This means that our customer’s data is logically separated on the storage level with tight access control rules, such that access is only granted to authorized people even inside of Alasco.
Encryption is an important piece of Alasco’s data security strategy. At any point when data is processed between our systems, we rely on Transport Layer Security (TLS) for transit encryption. This prevents eavesdropping. For data stored „at rest“, we leverage native AWS features to encrypt our data stores by default (S3, RDS, EBS).
Alasco is investing in a close relationship with the cyber security community, and we greatly value their help identifying vulnerabilities in our products. Our Vulnerability Reward Program was developed to honor all the external contributions that help us keep our services safe.
Our process for managing incidents specifies actions, escalations, mitigation, resolution, and notifications of any potential incidents impacting the security of our platform or data.
Our Security Team takes this risk-centric viewing angle by regularly conducting threat modeling workshops, to determine where we may have gaps or room for improvement.
Our platform’s authentication is based on Auth0 technology (an Okta company). We support the integration of external identity providers if you would like to connect Alasco to your company-internal workplace IDP.
Yes.
Yes, we can provide this upon request.
Our application is hosted on AWS in EU regions, subject and compliant to EU-GDPR regulations.
As for data in transit, it is industry standard to rely on TLS with strong ciphers for encryption. So do we at Alasco for incoming HTTP traffic and connections between internal services.
For persistent storage, our application is hosted on AWS and we rely on several AWS-native storage mechanisms (RDS, S3, SNS, SQS). Whenever possible, we activate and utilise AWS-native encryption mechanisms. RDS as an example is encrypting data with cryptographic keys that are stored in AWS KMS. AES-256 is used to encrypt RDS storage, backups, read replicas, snapshots and so on.
Our general design principles are based on zero-trust and need-to-know principles. As such, only dedicated client account managers require such access. In addition, our technology department, who runs the platform, has access to the underlying infrastructure and databases.
Yes. Our Security Team takes care of the company’s security program, annual targets, design principles, architecture decisions and so on. You find a lot of related information in our Security & Trust Center on our website under https://www.alasco.de/security/
‍Keeping our customer’s data safe is of utmost priority to us and we continue to invest in best-in-class tooling to deliver on this promise.
Yes. Specifically, we adhere as much as we can to the following standards:
SOC2 Type II
ISO 27001
CIS AWS 1.4.0
NIST 800-171 Rev2
AWS Well Architected
Attestation and benchmarks for select scopes can be provided upon request.
We select our service providers with security and compliance in mind. As such, key parties in our provider ecosystem are 100% compliant with industry security standards such as SOC2 Type II or ISO 27001. Alasco regularly evaluates suppliers in a prioritized fashion according to these requirements.
Alasco itself has not undergone an audit with certified attestation just yet. Our security framework goes much beyond what industry standards are demanding, however based on our customer’s feedback, investing in the time consuming process of annual audits and maintaining compliance has not proven to be practically necessary until today.
Yes. We conduct different forms of testing in cycles.
Most importantly, we run a state-of-the-art, 24/7 vulnerability reward program to detect potential issues as early as possible. Further, we conduct penetration tests and inside-out security audits multiple times per year.