Skip to main content
Security

Netstock Security Whitepaper

Ruvisha Pillay avatar
Written by Ruvisha Pillay
Updated over 2 months ago

Netstock, the company, is the provider of both the Netstock and Sage Inventory Advisor Apps. Netstock Apps include Predictor Inventory Advisor and Predictor Integrated Business Planning. References to Netstock in the section below are references to Netstock the company.

Netstock’s customers enjoy the following security:

1. Transit Security

All data transferred from the on-premise ERP system to our Comms servers are compressed. This data is then sent via the Secure FTP protocol, ensuring that the data is encrypted in-transit. The connector software that is installed on the customer’s ERP system is authenticated on the Comms server using the customer’s unique public key. The private key is never shared.

The same process then happens to forward the information from the Comms server to the appropriate cloud App server.

For more information about data transmission, see the ERP Connector guide.

All access to a customer’s instance of Netstock goes over the https protocol, using TLS. Our certificates are signed by trusted Certificate Authorities.

2. Data centre security

Netstock makes use of secure, reputable hosting providers. We only make use of data centres with security certifications such as SOC 2 and/or ISO 27001.

Netstock makes use of the following data centre providers for hosting the Inventory Advisor application and related integrations.:

Our customers’ data are hosted at the following data centres:

  • North America

    • Ionos - United States

    • Linode – Newark, NJ

    • Linode – Fremont, CA

    • Linode – Atlanta, GA

    • Linode – Dallas, TX

    • Linode - Chicago, IL

  • Africa and Europe

    • Hetzner – Nuremberg, DE

    • Hetzner – Falkenstein, DE

    • Hetzner - Helsinki, FI

    • Ionos - Baden-Baden, DE

    • Ionos - Berlin

    • Ionos - United Kingdom

    • Linode - Frankfurt, DE

    • Linode – London, UK

  • Australia and New Zealand

    • AWS - Sydney, AU

    • Linode – Tokyo, JP

    • Linode – Sydney, AU

    • Linode - Singapore, SG

3. Network

Our cloud hosting providers are responsible for providing and maintaining the physical network, however we have host based network security controls, such as host based firewalls and intrusion detection systems for controlling traffic destined to and from our servers and detecting anomalies.

We have automated IP banning controls in place that will temporarily ban an IP that is responsible for failed login attempts that exceed a predefined threshold. We only connect to our servers via encrypted communication channels.

Our cloud hosting providers provide us with denial of service protection to support availability of our customer’s instances. We only connect to our servers via encrypted communication channels.

We have implemented a Web Application Firewall (for the Predictor IBP product only).

4. Data isolation

Every customer’s data is completely isolated from every other customer’s data, as separate App and database instances are provisioned for each customer.

Every customer accesses their Netstock Inventory Advisor App instance using a unique URL. A user’s login credentials therefore can never work on another customer’s instance of Netstock.

5. Access to Customer Data

There is a setting in the App that allows customers to deny or grant our Customer Success team access to the customer’s instance. If this setting is left enabled to grant access to us, each time that our Customer Success team members have a need to gain access to a customer’s App, our system generates and provides a one time pin. This OTP is valid for a limited period of time. All access to a customer’s App instance is logged and therefore the customer’s appointed administrator can view that information in the logs at any time.

6. Data confidentiality

All Netstock employees sign non-disclosure clauses as part of their employment contract, ensuring that they agree to the legal obligation to retain the confidentiality of all customer data. Employees also receive training to educate them regarding data confidentiality requirements and practices.

7. Data retention

In the case that a customer cancels their Netstock subscription, we retain an archive of the customer’s data for three months. This allows for an easier reinstatement of the service, if requested. After three months the data will be deleted forever, even from our backup servers. A full dump of a customer’s data is available upon request in the three month period.

8. Backup Management

All data on all servers is backed up every 24 hours. Full backups are retained for 14 days.

Backups are stored in a geographically separate data centre, so that a data centre disaster doesn’t affect both the operational servers and the backup servers.

As Netstock is not a mission-critical system, we do not offer automatic fail-over to stand-by servers. This also keeps the monthly cost down for our customers.

Backups are stored and transmitted encrypted.

9. Account Security

A Password strength checker is used in the App to reduce the likelihood of customer’s users selecting weak passwords when creating and resetting passwords.

Passwords are stored hashed and salted using a cryptographically secure algorithm. This means that even if the password hashes are obtained, they cannot be used to log into the Netstock App.

Accounts are locked out for a period of time after a defined number of unsuccessful attempts to mitigate brute force attacks. The customer’s administrator may choose to receive alerts for failed login attempts for the customer’s user accounts so that these events can be confirmed to determine whether the login failure was due to legitimate use or malicious attempts to log into the App.

All sessions are automatically logged out after a period of non-use, helping to guard against unauthorised usage of a logged-in system.

Two factor authentication is available and can be activated to provide additional protection for the customer’s user accounts. Enabling two factor authentication will ensure that in the event that one of a customer’s user’s password is compromised, the attacker will not be able to access the account without also gaining access to the second factor (one time pin). This functionality can be activated by the customer’s administrator.

SAML based Single Sign-on is available for customers to manage their user’s accounts according to their own internal password and account requirements.

Access to support applications that may contain personal or confidential data is carefully managed. We have formalised Identity and Access Management policies and procedures, as well as a Password policy and standard. This is for the purpose of ensuring that appropriate security controls are defined for the protection of accounts used by our employees.

Access provisioning and de-provisioning processes are formalised and require access change requests to be submitted and approved.

Our employees are required to manage their credentials using the enterprise password manager that we have provided for this purpose. The password manager not only securely stores credentials, but also generates secure passwords of sufficient complexity and length, and ensures that passwords are not reused across platforms.

10. Web development security

The security of our code is very important to us. Our App undergoes both internal and external penetration testing. We have formalised a Secure Development Policy and Standard, ensuring that security is considered throughout the development lifecycle. We perform security code reviews over and above standard code reviews. When making development changes, we perform SAST scanning of our code before deploying code to our Live environments. Our software developers are required to complete regular secure development training.

11. Change Control

We have formalised a Change Control Policy, Standard, and Procedure ensuring that changes are formally logged, reviewed, approved, and tested with the intention of reducing adverse effects of unmanaged changes and improving the quality of deliverables. We are committed to providing you with a service that is available and works as intended.

12. Logging and Monitoring

Logging is enabled for all accounts, servers, applications, databases and infrastructure, ensuring that all activity, security events, exceptions and access metrics are logged. Regular log reviews are performed.

Monitoring is in place to detect and alert us regarding anomalies.

Capacity metrics are monitored and we receive alerts based on predefined thresholds, ensuring that we can respond to changing requirements quickly. This ensures optimal performance and availability of our App.

13. Security monitoring and threat prevention

We have implemented security monitoring tools. These tools include but are not limited to intrusion detection, behaviour analysis, malware detection and firewalls. This ensures early detection of malicious activity and contributes to our response capability.

14. Incident response

We have developed incident response capability, including formal policies, procedures and to ensure that we are able to detect incidents rapidly, minimise loss and destruction, mitigate weaknesses that have been exploited, and restore services in reasonable time frames. The intention is to reduce the probability and impact of incidents that have the potential to occur or have already occurred. Employees are trained to recognise and report information security incidents, and technical teams are trained on incident response.

Our Incident Response Plan is tested annually.

15. Business Continuity and Disaster Recovery

We have defined and documented Business Continuity and Disaster Recovery Plans and these plans are regularly tested.

16. Supplier Information Security

We have formalised a Supplier Information Security Policy and procedures for evaluating the security controls of potential and existing suppliers. We understand the importance of ensuring the security of information throughout the supply chain to reduce risk to our customers and us.

We perform supplier risk assessments before appointing a new supplier and annually thereafter.

Netstock enters into data processing agreements with sub-processors who process personal data on our behalf. When data transfers are required, Netstock enters into Standard Contractual Clauses with its sub-processors to legitimise the data transfer.

17. Security awareness training

Our employees receive regular security awareness training ensuring that they are taught how to work safely online, how to keep their devices safe, how to recognise and avoid information security threats and how to comply with our internal security policies, designed to keep your information safe.

Our employees are also trained to identify security incidents and how to report them in an attempt to reduce the impact and severity thereof.

18. Employee Device Security

We have formalised a Device Security policy that defines security controls for employee devices, including full disk encryption, antivirus, firewall enablement, automatic screen locking and patch management.

19. Human Resource Security

When hiring new employees, we use an external company to perform background screening checks to ensure that our employees have the qualifications and experience that they claim to have and that they do not pose an unnecessary risk to our customers or to our company.

All new employees go through an extensive onboarding process consisting of security training, secure configuration of their equipment, setup of the company password manager and formally agreeing to comply with our security policies.

20. Risk management

We follow a risk based approach to security, ensuring the ongoing identification, assessment and mitigation of risks to the organisation’s information assets, in order to reduce the probability and impact of their occurrence.

21. Governance

We have formalised information security policies, procedures and standards. These are made available to employees as relevant to their job function. All new employees are required to sign our overarching Information Security Policy, to agree to comply with it and the other relevant policies, procedures and standards that it references.

Our policies, procedures and standards are reviewed annually to ensure that they remain relevant and that they are able to address changing conditions and threats.

Information Security responsibilities are defined, documented and communicated to employee.

22. Compliance with Regulations

We keep updated of regulatory requirements and implement action plans to address the requirements as they arise and evolve over time. This includes but is not limited to the privacy and protection of personally identifiable information.

23. Auditing

We have a qualified internal auditor. Internal audits are conducted throughout the year according to our Internal audit schedule, assessing our compliance with our policies and procedures.

We undergo external audits on an annual basis, to maintain our ISO 27001 certification.

24. Certification

We have achieved ISO 27001 certification. Our certificate will be made available to prospects and customers on request.

Did this answer your question?