Table of Contents
- Company and Products
- SoftSolvers Security and Risk Governance
- Security and Risk Management Objectives
- Security Controls
- Product Security Features
1. COMPANY AND PRODUCTS
Soft Solvers Solutions (hereafter referred as “SoftSolvers”), founded in 2010 by industry experts and PMP certified graduates, provides world class cloud solutions for Medium to Large Corporations, across various industries. SoftSolvers has expanded its suite of Software and Services to many countries in Asia across sized single location companies to large regional enterprises, across multiple industries and geographies.
SoftSolvers launched Agiliuc Cloud Insurance in 2020, and started developing a suite of software products for Insurance industry to enhance distribution efficiencies and improve customer experience.
Over the last two years, Agiliux Cloud Insurance has become a mission for SoftSolvers to digitalise and transform Commercial Insurance industry, in the Asia Pacific region, by offering software for both Direct Insurance Brokers and Re-Insurance Brokers to improve their internal efficiency and productivity and also to streamline their interactions with carriers and re-insurers.
1.1 About Agiliux Cloud Insurance
Agiliux Cloud Insurance offers software for both Direct Insurance Brokers and Re-Insurance Brokers to improve their internal efficiency and productivity and also to streamline their interactions with carriers and re-insurers.
- Agiliux Commercial offers end-to-end automation to Insurance Brokers from managing the risk coverage requests from customer to giving them the required quote, generation of debit notes, manage payments, integrated accounting, regulatory reports and much more, efficiently.
- Agiliux Retail offers a single platform to consolidate all retail channels like direct selling via website or a mobile app, agency portal or POS mobile app, with direct integrations with Insurer API’s for premium calculation and policy issuance.
- Agiliux CRM offers Customer Self-Service Portal and backend helpdesk management modules, integrated to any of the above solutions.
2. SOFTSOLVERS SECURITY AND RISK GOVERNANCE
SoftSolvers primary security focus is to secure our customers and users data. To achieve this SoftSolvers has invested in resources and processes to serve the customers effectively while ensuring the information in storage and while in transfer are secure. A comprehensive infrastructure security process and a product security process on par with industry standards are defined and adhered to maintained in practice by our dedicated security team and seasoned development team.
We continually work towards improving the SoftSolvers security framework along with an effective support structure for managing risks. Our Chief Information Officer owns the implementation and management of security across SoftSolvers and its products.
3. SECURITY AND RISK MANAGEMENT OBJECTIVES
We have developed our security framework based on the best practices in the Enterprise SaaS industry and the compliance requirements as required by the regulatory bodies in each country we operate. Our primary goals include:
- Keeping the Customer Trust and Protecting the Data – consistently deliver better product and service to our customers while protecting the privacy and confidentiality of their information.
- Availability and Continuity of Service – ensure uninterrupted availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity.
- Integrity of Service and Data – ensure that customer information is never corrupted or altered inappropriately.
- Compliance with Standards – implement process and controls to align with current international regulatory and industry best practice guidance. We have designed our security program around best-of-breed guidelines for cloud security. In particular, we leverage standards like COBIT and Cloud Security Alliance CCM, and align our practices with ISO 27001.
4. SECURITY CONTROLS
SoftSolvers introduced an array of security measures to ensure that we secure the data entrusted to us. The security controls of SoftSolvers are designed to support a high level of employee performance without artificial roadblocks, while minimising risk. A subset of controls is defined in the following sections.
4.1 SoftSolvers Product Infrastructure
4.1.1 Data Center Security
SoftSolvers outsources hosting of its product infrastructure to leading cloud infrastructure providers Amazon Web Services (AWS) and Microsoft Azure Cloud. These solutions provide physical and network security as well as hosting provider vendor diversity. Currently, SoftSolvers AWS cloud server instances reside in AWS Singapore region-based locations and Azure cloud instances reside in Azure Singapore-region based locations. Both providers maintain an audited security program, including SOC 2 and ISO 27001 compliance. SoftSolvers does not host any product systems within its corporate offices.
These world-class infrastructure providers leverage the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed between 99.95% and 100%, and the facilities ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to these providers sites is highly restricted to both physical access as well as electronic access through public (internet) and private (intranet) networks in order to eliminate any unwanted interruptions in our service to our customers.
The physical, environmental, and infrastructure security protections, including continuity and recovery plans, have been independently validated as part of their SOC 2 Type II and ISO 27001 certifications. Certificates are available at the AWS compliance site and Microsoft Azure Cloud compliance offering.
4.1.2 Network Security & Perimeter Protection
SoftSolvers product infrastructure is built with scaling in mind from the ground up. Access to the network or within the internal product infrastructure is carefully controlled using enterprise grade security controls such as firewalls.
Network-level access control list are implemented in AWS Virtual Private Cloud (VPC) security groups or Azure firewall rules, which applies port-level and address-level protections to each of the server instances in the infrastructure. This firewall technology filters all network traffic flowing through SoftSolvers Cloud Infrastructure based on the rules specified for each instance or subnets. The size of packet flow on each instance also being capture by monitor system to identify if any spikes happen so that it can be further analysed.
These network access rules allow for finely grained control of network traffic from a public network as well as between server instances on the interior of the infrastructure. Within the infrastructure, sub networks are segregated and apply additional layer of firewall between them to ensure only the appropriate types of devices can communicate.
Changes in the network security model are actively monitored and controlled by standard change control processes. All existing rules and changes are evaluated for security risk and captured appropriately.
4.1.3 Configuration Management
Automation is a key factor when supporting the product scaling for customers. The product infrastructure is an automated environment that can adapt to expand both capacity and capability as needed. Server instance management is automated using Ansible server automation tools.
All server type configurations are embedded in images and Ansible configuration files. Server- level configuration management is handled using these images and configuration scripts when the server is built. Changes to the configuration and standard images are managed through a controlled change management process. Each instance type includes its own hardened configuration, depending on the requirement for deployment of the instance.
Patch management is mainly handled by ansible server, whereas configuration control is done manually based on certain aspect such as specification of the instance. Periodically, Ansible will automatically gather all instance’s software version to identify which instance require update or upgrade. Update is more of a straightforward process that can be done automatically while upgrade require further analysis to create custom scripts. In addition, upgrade sometimes requires removing server or instances that are no longer compliant with the expected baseline and provision a replacement instance in its place. Meticulous and automated configuration management is baked into our day-to-day infrastructure processing.
4.1.4 Alerting & Monitoring
Automated monitoring is a key part of our infrastructure management process. Infrastructure is managed using automated tools and processes, it is vital that the monitoring aspects of the infrastructure keeps up with this demanding task too. Any anomaly is set to trigger alerts to engineers and system administrators. Whenever an anomaly is detected, system ensure the correct resources are updated so that the issue can be resolved within the least possible time.
Many automated triggers are designed in a way to be triggered when pre-defined thresholds are met to help take proactive preventive measures to ensure the uninterrupted and better optimized service to customers. Uptime status, service failure or recovery, systems status and similar functions will trigger these measures.
Server Automated Tasks with Predefined Rules
SoftSolvers capability of timely detecting and responding to anomalies is enabled by the continuous monitoring and logging process. All instances of access, page views, modifications and other changes are logged across the applications. At the same time, from the infrastructure perspective, Authentication attempts, horizontal and vertical permission changes, infrastructure health, and requests performed among many other commands and transactions are monitored. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.
4.1.5 Infrastructure Access
Entire categories of potential security events are prevented with a stringent, consistent, and well-designed access control model. Along those lines, access to SoftSolvers systems is strictly controlled.
For access to infrastructure tools, servers, and similar services, access is minimized to only the individuals whose jobs requires. There are two kinds of access to the infrastructure. Access to the cloud platform and access to the instance or server. As mentioned above, only specific user will be grant for infrastructure access, especially cloud platform access. As for instance access, all technical users are granted with specific privileges to specific instance for them to access. This access is controlled by Server Access Matrix
Primary method to access the server are by using SSH that can secure the connection between users or clients to the server. This method also eliminates the use of password authentication. Besides, direct network connections to product infrastructure devices over SSH or similar protocols is prohibited, and engineers are required to authenticate first through a bastion host or “jump box” before accessing QA or production environments. Server-level authentication use user-unique SSH keys and token-based two factor authentication.
4.2 Application Protection
4.2.1 Web Application Defenses
SoftSolvers has implemented an industry-recognized Web Application Firewall (WAF) as part of its dedication to the security of consumer data and websites. The WAF automatically detects and defends against attacks directed at the platform hosted SoftSolvers products or customers’ sites. SoftSolvers WAF protects access to the SoftSolvers platform. In addition, it also automatically covers all customer content hosted on the site. In the OWASP Top 10 and related recommendations, the rules used to detect and block malicious traffic are consistent with the best practice guidelines reported by the Open Web Application Protection Project (OWASP). Distributed Denial of Service (DDoS) attack safeguards are also implemented, helping to ensure that the sites of consumers and other parts of the SoftSolvers products are constantly available.
The WAF is configured with a combination of industry standard and custom rules that are capable of automatically enabling and disabling of appropriate controls to best protect our customers. These tools actively monitor real-time traffic at the application layer with ability to alert or deny malicious behaviour based on behaviour type and rate.
4.2.2 Development & Release Management
One of the SoftSolvers greatest advantages is a rapidly advancing feature set, and we provide constantly improving products through a modern continuous delivery approach to software development. New code is proposed, approved, merged, and deployed thousands of times daily. Code reviews and quality assurance are performed by specialized teams of engineers with intimate knowledge of the SoftSolvers platform as it is developed. Approval is controlled by designated repository owners. Once approved, code is automatically submitted to SoftSolvers continuous integration environment where compilation, packaging and unit testing occur. If all passes, the new code is deployed automatically across the application tier.
All code deployments create archives of existing production-grade code in case failures are detected by post-deploy hooks. The deploying team manages notifications regarding the health of their applications. If a failure occurs, roll-back is immediately engaged. As part of the continuous deployment model, we use extensive software gating and traffic management to control features based on customer preferences (private beta, public beta, full launch).
Newly developed, built code is first deployed to the dedicated and separate SoftSolvers QA environment for the last stage of testing before being promoted to production. Network- level segmentation prevents unauthorized and undesirable access between QA and production environments. Customer data is never used by SoftSolvers in the QA environment, nor does any other testing use customer data.
4.2.3 Vulnerability Scanning and Penetration Testing
A multi-layered approach to vulnerability scanning is handled by the SoftSolvers Security team, using a range of industry-recognized tools to ensure thorough coverage of our technology stack. On a continuous basis, we conduct regular vulnerability scanning and penetration testing activities against ourselves. We constantly conduct vulnerability scanning against our internal networks, software, and organisational infrastructure. To ensure that we identify and respond to the latest vulnerabilities, network-based and application-level vulnerability scans run at least every day.
SoftSolvers remain ahead of many security threats by constantly running scans, adaptive scanning inclusion lists, and continuously updating vulnerability signatures. We bring in industry-recognized third parties to conduct bi-annual penetration tests to get a second opinion about our ability to detect and respond to security risks. The purpose of these programmes is to recognise vulnerabilities that pose security risk iteratively and fix any problems quickly. In order to optimise the kind of possible vectors that should be tested, penetration tests are carried out against the application layers and network layers of the SoftSolvers technology stack, and penetration testers are granted internal access to the SoftSolvers product.
4.3 Customer Data Protection
4.3.1 Confidential Information of SoftSolvers
The information collected in our products is data entered by our Customer or their Customer, in case Customer Self-Service Portal. SoftSolvers allows customers to define the type of information to be collected stored on their behalf. As per the SoftSolvers Terms of Service and Security Policy, our customers ensure that they capture only appropriate information to support their marketing, sales, and service processes. Agiliux Products are not used to collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, driver’s license numbers or similar identifiers, or employment, financial or health information.
4.3.2 Credit Card Information Protection
Many SoftSolvers customers pay for the services by credit card. SoftSolvers uses third-party intermediaries Stripe and eGHL to manage credit card processing. SoftSolvers does not store, process, or collect any credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers credit card information is processed securely and according to appropriate regulation and industry standards.
4.3.3 Encryption In-Transit & At-Rest
All sensitive interactions with the SoftSolvers products (e.g; API calls, login, authenticated sessions to the customer’s portal, etc.) are encrypted in-transit with TLS 1.2 and above with 2,048 bit key length. Transport layer security (TLS) is also available by default for customers who host their websites on the SoftSolvers platform. Customers who would like to limit the encryption protocols used for HTTPS connections may start the process by contacting Customer Support or their Customer Success Manager.
SoftSolvers leverages several technologies to ensure stored data is encrypted at rest. The physical and virtualized hard drives used by SoftSolvers product server instances as well as long-term storage solutions like AWS S3 use AES-256 encryption. Additionally, certain databases or field-level information is encrypted at rest, based on the sensitivity of the information. For instance, user passwords are hashed, and certain email features work by providing an additional level of both at-rest and in-transit encryption.
Encryption keys for both in-transit and at-rest encryption are securely managed by the SoftSolvers platform. TLS private keys for in-transit encryption are managed through our content delivery partner. Volume and field-level encryption keys for at-rest encryption are stored in a hardened Key Management System (KMS). Keys are rotated, and the frequency varies by the type of key and the sensitivity of the key and the data it protects; in general, TLS certificates expire every two years.
4.3.4 User Login Protections
Agiliux products allow users to login to their accounts using built-in login. The built-in login enforces a uniform password policy which requires a minimum of 8 characters and a combination of lower and upper case letters and numbers, inclusion of special characters and whitespace. People who use built-in login cannot change the default password policy.
4.3.5 User and API Authorization
Customers can assign finely grained permissions for their accounts and limit access to their data features based on user role access permission. Application programming interface (API) access is enabled through either API key or Oauth (version 2) authorization. Customers have the ability to generate API keys for their portals. The keys are intended to be used a rapidly prototype custom integrations. SoftSolvers Oauth implementation is a stronger approach to authenticating and authorizing API requests. Additionally, Oauth is required of all featured integrations. Authorization for Oauth-enabled requests is established through defined scopes.
4.3.6 SoftSolvers Employee Access
SoftSolvers controls individual access to data within its production and corporate environment. A subset of SoftSolvers employees are granted access to production data based on their role in the company through role-based access controls (RBAC) or on an as-needed basis referred to as JITA (just in time access).
Engineers and members of Operations team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyse information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking functions is strictly limited to individuals whose job require that access, and access is reviewed on a continual basis.
Customer Support, Services, and other customer engagement staff with a need-to-know may request just in time access to customer portals on a time-limited basis. Requests for access are limited to their work responsibilities associated with supporting and servicing our customers. The requests are limited to just-in-time access to a specific customer’s portal for a maximum of 24-hour period. All access requests, logins, queries, page views and similar information are logged.
All employee access to both corporate and product resources is subject to daily automated review and at least semi-annual manual recertification to ensure the granted authorization is appropriate for an employee’s role and job needs.
The privacy of our customers’ data is one of SoftSolvers primary considerations. We never expose your Personal data to any third parties. The protections described in this document and other protections that we have been implemented are designed to ensure that your data stays private and unaltered. The SoftSolvers products are designed and built with customer needs and privacy considerations in the forefront. Our privacy program incorporates best practices, our customers need, as well as regulatory requirements, not just limited to PDPA, but all applicable.
4.4.1 Data Retention Policy
Customer data is retained for as long as you remain an active customer. The SoftSolvers platform provides active customers with the tools to delete their data, as they see fit. Former customers data is removed from live databases upon a customer’s written request or after an established period following the termination of all customer agreements. Freemium customers data is purged when the portal is no longer actively used, and former paying customers data is purged 30 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. SoftSolvers retains certain data like logs and related metadata to address security, compliance, or statutory needs.
4.4.2 Privacy Program Management
4.5 Business Continuity & Disaster Recovery
SoftSolvers maintains business continuity and disaster recovery plans focusing on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, SoftSolvers goal is to quickly and transparently isolate and address the issue.
4.5.1 System Reliability & Recovery
Business continuity testing is part of SoftSolvers normal processing. SoftSolvers recovery processes are validated continuously through normal maintenance and support processes. We follow continuous deployment principles and create or destroy many server instances as part of our regular maintenance and growth. We also use those procedures to recover from impaired instances and other failures, allowing us to practice our recovery process regularly.
SoftSolvers primarily relies on infrastructure redundancy, point-in-time time snapshot and backups. All SoftSolvers product services are built with full redundancy. Snapshots are created daily in an incremental method. This allow the faster and reliable system recovery when there is system disruption that cause data loss. Server infrastructure is strategically distributed across multiple distinct availability zones and virtual private cloud networks within our infrastructure providers, and by benefiting the cloud infrastructure feature the data centres are deployed with a minimum of n+1 supporting server instances including the redundancy of the network connection.
4.5.2 Backup Strategy
SoftSolvers ensures data is replicated and backed up in multiple durable data-stores. The retention period of backups depends on the nature of the data. Data is also replicated across availability zones and infrastructure locations in order to provide fault-tolerance as well as scalability and responsive recovery, when necessary.
- Customer (production) data is backed up daily with six months retention period for any database in a way that ensures restoration can occur easily. This database backup is kept in a secure location on the cloud storage.
- Because we leverage cloud services for hosting, backup and recovery, we don’t implement physical infrastructure or physical storage media within our products. SoftSolvers does not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
- All instances storage or disk are backed up using scheduled snapshot. Different disks have different type of backup method. This snapshot files are stored in retention period of one day because the objective of creating these snapshots is to recover quickly when an unexpected data loss happens.
- For customers who would additionally like to back-up their data, the SoftSolvers platform provides many ways of making sure you have what you need. Many of the features within your SoftSolvers Products contain export features that can be used to synchronize your data with other systems.
4.6 SoftSolvers Corporate Security
4.6.1 Employee Authentication & Authorization
SoftSolvers enforces an industry-standard corporate password policy. That policy requires changing passwords every 90 days. It also requires a minimum password length of 8 characters and complexity requirements, inclusion of at least one special characters, uppercase and lowercase letters, and numbers. SoftSolvers prohibits account and password sharing by multiple employees.
Employees generally authenticate to SoftSolvers infrastructure access using SSH keys. Where passwords are disabled. However, internally SoftSolvers technical user’s machine are equipped with password policy requires 12-characters with six months password rotation.
4.6.2 Access Management
SoftSolvers has regimented and automated authentication and authorization procedures for employee access to Agiliux systems. All access is logged. Most frequently, access is granted based on a role-based access control model.
We built an extensive set of support systems to streamline and automate our security management and compliance activities. In addition to many other functions, the system sweeps our product and corporate infrastructure several times daily to ensure that permission grants are appropriate, to manage employee events, to revoke accounts and access where needed, to compile logs of access requests, and to capture compliance evidence for each of our technology security controls. These internal systems sweep the infrastructure validating that it meets approved configurations on a 24-hours basis.
4.6.3 Security Awareness & Policies
To keep all our engineers, support, and other employees on the same page with regard to protecting your data, SoftSolvers developed and maintains a Written Information Security Policy. The policy covers data handling requirements, privacy considerations, and responses to violations, among many other topics.
With this policy and the myriad protections and standards in place, we also ensure SoftSolvers employees are well-trained for their roles. Multiple levels of security training are provided to our employees, based on their roles, and resulting access. General security awareness training is offered to all new employees and covers SoftSolvers security requirements. Developers specific training is provided and tailored to our engineering teams. Roles specific security awareness training for Services & Support, Sales, and many other roles is tailored for the unique considerations of the role. Recurring training is provided through regular updates, notices, and internal publications.
4.7 Incident Management
SoftSolvers provides coverage to respond quickly to all security and privacy events. Our rapid incident response program is responsive and repeatable. Pre-defined incident types, based on historical trending, are created to facilitate timely incident tracking, consistent task assignment, escalation, and communication. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others.
In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate again to the customer (if there is any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident.
We review all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
5. PRODUCT SECURITY FEATURES
SoftSolvers security program is designed to protect all the SoftSolvers products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configuration.
Whether our products are feature-rich or lightweight, SoftSolvers, work harder to maintain the privacy of data you entrust with us. Data you store in SoftSolvers products is yours. We put our security program in place to protect and use it only to provide the SoftSolvers service to you. We respect your privacy and do not tolerate spam and will never share or sell away your data/information.
5.1 Security Features in Our Application
5.1.1 Secure by design
Agiliux takes advantage of the same enlightened security measures that help protect all our products. We leverage the advanced secure software development processes, infrastructure management, and alerting methodologies that we have levelled in our years of product development.
- User roles & Permission: Admin have full control on user roles permission. Agiliux have multiple level of permission control. Each user will be attached to one or multiple roles. In each role have the permission on which module able to access, what action that user can perform [edit/view/create/delete] and up to fields level permission. May restrict certain fields to access by certain role. Sharing access will allows system to control which users can access which data/records.
- Role based security for approvals: System also can handle role-based security for approval. Only the approving manager will able to select this approved status while the rest of users may view it only. Can have multiple level approval.
- Controlling user access from certain IP’s: System also able to handle the IP restriction. Admin can declare which IP are allowed or not allowed to access the system. This function very useful for security when company/organization do not allow their staffs/users to access the system from certain IP or just allowed for certain IP.
- Login History: System will capture all the login history for success and failure attempt. The details captured such as username, IP address, date, time and also the status of login either success or failed.
- Complete Field level Audit Trail: System logged all the audit trail for the records start form record created, updated, add other related information until the records is deleted. It captured up the value/detail change for each field. The audit trail captured data such as user who perform the changes, date, time and existing values to new value. This audit trail will stay forever in the system.
- Follow records: System come with follow functionality. This functionality allows user to get notification when their followed data being modified. So, user will always keep to up to date information. User may choose which records they want to follow.
- Notify Owner: Function where by it will send the notification to the creator of the record if any updates done to the record. The creator for the record needs to enable the notify owner checkbox to activate it.
- Use of TLS 2.0 or oAuth for email integration (only for office 365 for now): Instead of using normal credential to integrate email with system, user may choose to use the TLS 2.0 or OAuth to integrate which is more secured than using username and password every time system accesses the email.
SoftSolvers products are housed with world-class cloud infrastructure providers Amazon Web Services and Microsoft Azure Cloud. SoftSolvers infrastructure providers are SOC 2 Type II and ISO 27001 certified and maintain facilities secured against electronic and physical intrusion.
We are Fully Compliant to all local Regulations. Agiliux is committed to meet all the regulatory requirements in every country we operate in Asia and ensure compliance by regular audits.
For any other security related concerns, drop us a message to firstname.lastname@example.org