Reliability and security
Signature 365 is a cloud service designed to meet the highest security, availability and compliance standards. Our team of engineers developed Signature 365 in compliance with both ISO 27001 (information security) and ISO 27018 (personal data protection in the cloud). We are a Microsoft Certified Partner and proud our solutions are recommended by Microsoft.
ISO 27001 and 27018
We are ISO 27001 certified and working towards additional ISO 27018 certification in Q1 2024.
Our compliance is continuously monitored by our security partner Vanta and a live status is available at https://trust.symprex.com where our ISO 27001 certificate is also available for download.
GDPR and CCPA compliance
We are compliant with GDPR and CCPA. Our security measures ensure that the personal data we process is safe at all times.
Choice of geolocation
We create your tenant in the appropriate geolocation based on the country you select during the registration process. This helps you stay GDPR and CCPA compliant. Current data centre locations are the United States, Canada, Europe, United Kingdom, United Arab Emirates and Australia with more planned.
Multifactor authentication
We support multifactor authentication for signing on to Signature 365. We also support multifactor authentication when connecting Signature 365 to Microsoft 365. You will not need to disable multifactor authentication on your admin account.
Safeguarding credentials
We use OAuth 2.0 for authentication. This means we have no access to your credentials. Where you grant access we store and use access tokens to access Microsoft 365.
Secure email processing
When using server-side signatures, email is routed via the Signature 365 service in your geolocation to add signatures. The Signature 365 service is hosted on Microsoft Azure and your email therefore never leaves Microsoft data centres. If you do not want to route emails via the Signature 365 service, you can enable the client-side signature mode only where signatures are added directly to email in the Outlook client.
Private email processing
We do not store or read your emails. Your emails remain entirely private. The Signature 365 service scans each email for any reply/forward separator, injects the relevant signature in the correct place, and immediately routes the email back to Microsoft 365 for delivery.
Microsoft Azure infrastructure
Signature 365 is hosted exclusively on Microsoft Azure offering the highest security and SLA standards. Microsoft Azure data centres are certified to the following standards:
- ISO 27001, 27017 and 27018
- SOC 1 and 2
Security measures
The information in this section is a copy of Appendix 2 : Security Measures in our Data Processing Agreement (DPA) available at https://www.signature365.com/legal/data-processing-agreement. It describes the security measures we have in place to protect your data and ensure service performance and reliability.
Confidentiality
The Supplier has controls in place to maintain the confidentiality of Customer Data, in accordance with the Services Agreement. All Supplier employees and contract personnel are bound by the Supplier’s internal policies regarding maintaining confidentiality of Customer Data and contractually commit to these obligations.
Access Control
Preventing Unauthorized Product Access
Outsourced processing: We host our Signature 365 Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Signature 365 Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization.
Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support our products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: We maintain relationships with industry recognized penetration testing service providers. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
Vulnerability disclosure policy: A vulnerability disclosure policy invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a vulnerability disclosure policy in an effort to widen the available opportunities to engage with the security community and improve the product defences against sophisticated attacks.
Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All Symprex employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Symprex employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
Employee training: At least once a year, employees must complete our security and privacy training which covering our security policies, security best practices, and privacy principles.
Transmission Control
In-transit: We encrypt all data in transit using TLS 1.2 or higher using industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
Input Control
Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Services Agreement and DPA.
Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.