Netstock Security Whitepaper

Ruvisha Pillay avatar
Written by Ruvisha Pillay
Updated over a week ago

Netstock, the company, is the provider of both the Netstock and Sage Inventory Advisor Apps. References to Netstock in the section below are references to Netstock the company.

Netstock’s customers enjoy the following security:

1. Transit security

All data transferred from the on-premise ERP system to our Comms servers are compressed. This data is then sent via the Secure FTP protocol. This data is encrypted in-transit via session keys and symmetric encryption. The software on the ERP system is authenticated on the Comms server using the customer’s unique public key. The private key is never shared.

The same process then happens to forward the information from the Comms server to the appropriate cloud App server.

For more information about data transmission, see the ERP Connector guide.

2. Data centre security

NETSTOCK only makes use of secure, reputable hosting providers. We only make use of data centres with security certifications such as SOC 2 and/or ISO 27001.

Data centres

NETSTOCK makes use of the following data centre providers:

Our customers’ data are hosted at the following data centres:

  • North America

    • Linode – Newark, NJ

    • Linode – Fremont, CA

    • Linode – Atlanta, GA

    • Linode – Dallas, TX

  • Africa and Europe

    • Linode – London, UK

    • Hetzner – Nuremberg, DE

    • Hetzner – Falkenstein, DE

    • Linode - Frankfurt, DE

  • Australia and New Zealand

    • Linode – Tokyo, JP

    • Linode – Sydney

    • Linode - Singapore

    • Hetzner – Nuremberg, DE

    • Hetzner – Falkenstein, DE

3. Storage security

Our servers are all behind firewalls with strict rules in place.

Back-end logins into our servers can only happen with RSA keys, and not via passwords. This means that Netstock’s employee access to our back-end servers can be revoked at any time

Our servers are protected from brute-force attacks by automatically banning the IPs of a certain number of failed login attempts for a period of time.. This happens at the firewall level.

All the OS and application software are patched weekly for any security vulnerabilities.

4. Network

Our data centres in which your App is hosted make use of multiple Internet carriers using independent fibre connections to the datacenter floor. The networks within the data centres have redundant routers, switches and service providers. Multiple systems can fail without affecting uptime or performance.

Various security appliances are in place monitoring network traffic and detecting and responding to anomalies.

5. Data isolation

Every customer’s data is completely isolated from every other customer’s data, by using a separate database to store their data in.

Similarly, every customer accesses the Netstock service using a unique URL for that customer. A user’s login credentials can never work on another customer’s instance of Netstock.

6. Access to Customer Data

There is a setting in the App which allows you to deny or grant our customer success team access to your instance. If you leave this setting enabled to grant access to us, each time that our customer success team members have a need to gain access to your App, our system generates and provides a one time pin. This OTP is valid for a limited period of time. Our customer success team will only access your App for the purposes of providing support to you or in response to a ticket that you logged for assistance. All access to your App instance is logged and therefore your customer appointed administrator can view that information in the logs at any time.

7. Data confidentiality

All Netstock employees sign non-disclosure clauses as part of their employment contract, ensuring that they agree to the legal obligation to retain the confidentiality of all customer data. Employees also receive training to educate them regarding data confidentiality requirements and practices.

8. Data retention

In the case that a customer cancels their Netstock subscription, we retain an archive of the customer’s data for three months. This allows for an easier reinstatement of the service, if requested. After three months the data will be deleted forever, even from our backup servers. A full dump of a customer’s data is available upon request in the three month period.

9. Backups

All data on all servers is backed up every 24 hours. Full backups are retained for 14 days.

Backups are stored in a geographic separate data centre, so that a data centre disaster doesn’t affect both the operational servers and the backup servers.

As Netstock is not a mission-critical system, we do not offer automatic fail-over to stand-by servers. This also keeps the monthly cost down for our customers.

Backups are stored and transmitted encrypted.

10. Encryption

All access to a customer’s instance of Netstock goes over the https protocol, using secure TLS versions. Our SSL certificates are signed by trusted CAs. All requests to our web app are protected against Cross-Site Request Forgery.

This means that Man-In-The-Middle attacks are exceedingly difficult to perform. No-one can read our customers’ information whilst in-transit to and from our web servers.

11. Account security

A Password strength checker is used in the App to ensure that weak passwords cannot be selected when creating and resetting passwords.

Passwords are stored hashed and salted using a cryptographically secure algorithm. This means that even if the password hashes are obtained, they cannot be used to log into Netstock.

Accounts are locked out for a period of time after a defined number of unsuccessful attempts to mitigate brute force attacks. The Customer’s administrator may choose to receive alerts for failed login attempts for the Customer’s user accounts, so that these events can be confirmed to determine whether the login failure was due to legitimate use or malicious attempts to login into the App.

All sessions are automatically logged out after a period of non-use, helping to guard against unauthorised usage of a logged-in system.

Two factor authentication is available and can be activated to provide additional protection for your account. Enabling two factor authentication will ensure that in the event that your password is compromised, the attacker will not be able to access your

account without the second factor (one time pin). This functionality can be activated by the Customer’s administrator.

Access to support applications that may contain personal or confidential data is carefully managed. We have formalised Identity and Access Management policies and procedures, as well as a Password policy and standard. This is for the purpose of ensuring that appropriate security controls are defined for the protection of accounts used by our employees.

Access provisioning and de-provisioning processes are formalised and require access change requests to be submitted and approved.

Our employees are required to manage their credentials using the enterprise password manager that we have provided for this purpose. The password manager not only securely stores credentials, but also generates secure passwords of sufficient complexity and length, and ensures that passwords are not reused across platforms.

12. Web development security

The security of our code is very important to us. Our App undergoes annual penetration testing by a highly regarded third party.

When making development changes, we perform SAST scanning of our code before deploying to our Live environments.

We have formalised a Secure Development Policy and Standard, ensuring that security is considered throughout the development lifecycle.

We perform security code reviews over and above standard code reviews.

Our software developers are required to complete regular secure development training.

13. Change Control

We have formalised a Change Control Policy, Standard and Procedure ensuring that changes are formally logged, reviewed, approved and tested with the intention of reducing adverse effects of unmanaged changes and improving quality of deliverables. We are committed to providing you with a service that is available and works as intended.

14. Logging and Monitoring

Logging is enabled for all accounts, servers, applications, databases and infrastructure, ensuring that all activity, security events, exceptions and access metrics are logged.

Monitoring is in place to detect and alert us regarding anomalies.

Capacity metrics are monitored and we receive alerts based on predefined thresholds, ensuring that we can respond to changing requirements quickly. This ensures optimal performance and availability of our App.

15. Security monitoring and threat prevention

We have implemented security monitoring tools.. These tools include but are not limited to intrusion detection, behaviour analysis, malware detection and network firewalls. This ensures early detection of malicious activity and contributes to our response capability.

Full logging is implemented for all systems.

16. Incident response

We have developed incident response capability, including formal policies, procedures and training for our employees to ensure that we are able to detect incidents rapidly, minimise loss and destruction, mitigate weaknesses that have been exploited, and restore services in reasonable time frames. The intention is to reduce the probability and impact of incidents that have the potential to occur or have already occurred.

Our Incident Response Plan is tested annually.

17. Business Continuity and Disaster Recovery

We have defined and documented Business Continuity and Disaster Recovery Plans and these plans are regularly tested.

18. Supplier Management

We have formalised a Supplier Information Security Policy and procedures for evaluating the security controls of potential and existing suppliers. We understand the importance of ensuring the security of information throughout the supply chain to reduce risk to our customers and us.

19. Security awareness training

Our employees receive regular security awareness training ensuring that they are taught how to work safely online, how to keep their devices safe, how to recognise and avoid information security threats and how to comply with our internal security policies, designed to keep your information safe.

Our employees are also trained to identify security incidents and how to report them in an attempt to reduce the impact and severity thereof.

20. Employee Device Security

We have formalised a Device Security policy that defines security controls for employee devices, including full disk encryption, antivirus, firewall enablement, automatic screen locking and patch management.

21. Human Resource Security

When hiring new employees, we use an external company to perform background screening checks to ensure that our employees have the qualifications and experience that they claim to have and that they do not pose an unnecessary risk to our customers or to our company.

All new employees go through an extensive onboarding process consisting of security training, secure configuration of their equipment, setup of the company password manager and formally agreeing to comply with our security policies.

22. Risk management

We follow a risk based approach to security, ensuring the ongoing identification, assessment and mitigation of risks to the organisation’s information assets, in order to reduce the probability and impact of their occurrence.

23. Governance

We have formalised information security policies, procedures and standards. These are made available to employees as relevant to their job function.

Our policies, procedures and standards are reviewed annually to ensure that they remain relevant and that they are able to address changing conditions and threats.

Information Security responsibilities are defined, documented and communicated to employees.

24. Compliance with Regulations

We keep updated of regulatory requirements and implement action plans to address the requirements as they arise and evolve over time. This includes but is not limited to the privacy and protection of personally identifiable information.

25. Auditing

We have a qualified internal auditor and internal audits are conducted throughout the year.

26. Certification

We have achieved ISO 27001 certification. Our certificate will be made available to prospects and customers on request.

Did this answer your question?