Security and Compliance
Compliance Certifications
Consoltec does whatever it takes to deserve your trust, now and in the future.
Security
Consoltec places data protection and security at the heart of its concerns. Our commitment to information security is ongoing, reflected in the continuous improvement of our security program and the ongoing integration of best practices into our organization and platform.
Consoltec adheres to the principles of Secure by Design, using modern technologies that guarantee agility, performance, reliability and availability. We also maintain a high level of information security and privacy, meeting the most stringent requirements of all our customers.
People
Our employees play a crucial role in ensuring the security and privacy of the FlowFit application and your data. Here are some of the steps we take:
1. Background Checks
All candidates are required to successfully complete standard background and credit checks as part of the hiring process. They are also required to sign an NDA as part of their employment contract.
2. Roles & Responsibilities
R&D, IT & DevOps, Customer Support, and Sales & Marketing teams are made aware of their responsibilities in maintaining the security, confidentiality, integrity and availability of customer data.
3. Training
Consoltec provides information security and privacy training for new hires, and on an ongoing basis to all employees. In addition to this general information security and privacy training, more targeted training is also provided.
Application Security
Software Development Life Cycle
At Consoltec, we leverage the DevOps and Continuous Delivery models. The highly automated nature of our software and infrastructure delivery, combined with frequent releases, requires security to be embedded into the SDLC is essential. Here’s an overview of some of our security, privacy and quality assurance practices: requirements identification, requirements review, design reviews, development controls (i.e. static analysis, code reviews), automated and manual testing, automated vulnerability scans, change management and deployment controls.
Data Protection
- Your data is encrypted in transit using Transport Layer Security (TLS) 1.2.
- Your data is encrypted at rest using 256-bit AES.
- We protect your data from unauthorized access using multiple access management controls.
- Your data is backed-up incrementally every hour, and completely every day.
Data Isolation
To ensure data and process isolation, each customer gets dedicated instances of the FlowFit application, segregated database and data stores. You only have access to your own data, and the same applies to all other clients.
Identity & Authentication
You can choose from two identity models with FlowFit:
1. SAML-based Single Sign-On (SSO)
- You can integrate FlowFit with your corporate credential directories using Security Assertion Markup Language (SAML v2.0) to retain full control of the authentication process.
2. FlowFit Cloud Accounts
- You can also manage user accounts directly in FlowFit.
- Configurable Password Policy
- Credentials are never stored in human readable format. We use a secure one-way hash algorithm with a salt.
User Permission Assignment
Access to your FlowFit instance is governed by roles and access rights configured by your designated FlowFit Administrators.
FlowFit Tenant Access
Logical firewall
You may choose to restrict access to a specific IP range so that your FlowFit instance is only accessible in designated physical locations and through your organization’s VPN.
We also support a per user access policy that enables users to connect outside your designated physical locations. You can also restrict from which countries they are allowed to access your FlowFit instance using our IP Geo-location access control feature.
Vulnerabilities
Consoltec’s Security Team uses a combination of automated and manual vulnerability scanning and exploitation software in order to detect or confirm the presence of vulnerabilities in our SaaS infrastructure and application. Our security team is responsible for assessing, prioritizing and the remediation of confirmed vulnerabilities.
Penetration Testing
Consoltec also mandates a third-party security firm to perform authenticated and non-authenticated penetration testing against Consoltec’s SaaS infrastructure and application. The third party penetration testing is performed at least annually. An attestation of completion is available upon request.
Operations Security
Data Backups
Customer data is backed up every hour and replicated in near-real time at the designated secondary Azure Region. Backups are performed without impacting the availability of our customer instances of FlowFit. Customer data is always transmitted over a secure communication channel and encrypted at rest.
FlowFit Availability
FlowFit is architected, designed, and coded following the cloud-native principles by our team and takes full advantage of Azure infrastructure services to provide high availability transparently across multiple data centers (Azure Availability Zones).
Security Incidents
A potential security incident may include, among other things, loss of availability, unauthorized access, disclosure or alteration of data. Consoltec has an incident management procedure which covers the entire lifecycle of a potential incident including: Plan and Prepare, Detect and Report, Access, Respond and Post-mortem.
Consoltec will promptly notify the customer without undue delay in the event of any reasonably suspected or confirmed security incident affecting a customer.
Data Ownership & Control
Data Ownership
You maintain full ownership and control of your data uploaded or created in FlowFit.
Consoltec Employee Access to your Data
In the context of providing the service, it requires that some authorized Consoltec personnel have access to the systems which process or store your data. However, they are prohibited from accessing your data unless it is necessary to do so. For example, in order to reproduce or diagnose a problem you are having with FlowFit, we may need to access your data. Consoltec has a Customer Data Handling policy that has been developed and communicated to all personnel that governs how customers’ data may be accessed and how. We however never copy your data outside of your segregated production or staging environments.
Cancelling your Flow Subscription
Consoltec makes your data accessible for retrieval at any time during the term of your subscription and for 60 days after the termination of your subscription. After 60 days, Consoltec will disable the account and will securely delete your data.
Contact us to find out more about our cancellation procedure.
Secure Data Deletion
We have a procedure for the secure deletion of customer data at the termination of the subscription. A Consoltec system administrator will be assigned the task and will delete all customer data: database, file storage, backups, and encryption keys along with your instance of FlowFit. We will also provide you with a data destruction report signed by the CISO who will ensure that the procedure was followed and that the data was deleted per the Service Termination Procedure.
Hosting Infrastructure
We host FlowFit in Azure data centers in the United States, Canada or Europe according to your choice. Azure maintains multiple certifications and attestations for its hosting operations. For more information about their certification and compliance program, please visit the Microsoft Trust Center and the Microsoft Compliance.
Data Privacy Policy
At Consoltec Inc., we are committed to protecting the privacy and security of your personal data. We adhere to the General Data Protection Regulation (GDPR), applicable to individuals within the European Economic Area (EEA), as well as Québec’s Act Respecting the Protection of Personal Information in the Private Sector (Act 25).
Our data privacy practices are designed to ensure compliance with these regulations, providing you with transparency, control, and trust over how we collect, use, store, and process your personal information. We take your rights seriously and strive to maintain the highest standards of data protection and confidentiality.
Please refer to our complete Data Privacy Policy or contact our Data Protection Officer at dpo@consoltec.ca.
GDPR Assistance
Consoltec will gladly collaborate and assist each customer seeking compliance with the obligations pursuant to Articles 32 to 36 of GDPR.
Please contact Consoltec’s Data Protection Officer for assistance: dpo@consoltec.ca.
Data Processing Addendum (DPA)
Consoltec makes available a Data Processing Addendum (DPA) for our Customers.
Compliance
SOC 2 Type I and II
Consoltec is compliant with the Service Organization Controls (SOC) 2 Type 2 from AICPA, one of the most sought-after security attestations for SaaS providers.
The SOC 2 Type I and II report assures that Consoltec’s information security program and control environment are compliant with the security Trust Services Criteria developed and maintained by the AICPA. The report covers the controls Consoltec has implemented both from an organizational and technical perspective and includes access management, encryption, code changes and deployment, monitoring, vulnerability management, incident management, risk management, human resources management, vendor management, and more.
The report helps companies, looking to use a cloud service like FlowFit, to properly assess and address the associated risks.
Consoltec’s SOC 2 Type I and II report are available under NDA to all our existing and potential customers.
Please contact Consoltec’s Data Protection Officer to request a copy: dpo@consoltec.ca.
Cloud Security Alliance: Security, Trust, and Assurance Registry (CSA STAR)
The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when selecting a cloud vendor.
The Security, Trust, and Assurance Registry (CSA STAR) and the CSA Consensus Assessments Initiative Questionnaire (CAIQ) v4.0.3 provides a comprehensive set of questions that customers can use to evaluate the depth and breadth of cloud vendors’ security, privacy, and compliance processes.
Consoltec’s security team has compiled responses to all 261 questions in the questionnaire. This document is a valuable resource for understanding how Consoltec meets and exceeds the requirements set forth by CSA.
Contact us to request a questionnaire.