The Security Challenge
In the cloud-enabled, highly networked world of modern computing, security is one of the most important challenges faced by organizations. The high-level security provided by Docomotion ensures that your system is protected against unauthorized access (both physical and logical).
This includes in-house monitoring 24x7x365. Our in-house support team reviews every aspect of Docomotion servers, in addition to 3rd party testing. Our services undergo independent, ongoing penetration testing, security scans, and threat detection.
Docomotion is a SaaS certified solution provider that has passed all the required certification and approvals from Salesforce. As a managed package certified by Salesforce App, Docomotion passed a security review by a Salesforce team before being listed on the App Exchange. Docomotion developers are required to follow Salesforce recommendation for application security and each new version of Docomotion passes this review. Docomotion headquarter provide employees with limited access to the internet according to its policy. Access is provided behind the Check Point firewall (R77-20).
Security Policy Highlights
Data Center Security
Docomotion servers are hosted on AWS and located in different availability zones. The servers are physically secure, staffed 24x7x365 by trained security guards. We use VPC, which provides advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance level and subnet level.
Docomotion Amazon servers reside in US- West Oregon. The traffic between Salesforce and the Docomotion server is secured via HTTPS. The Sophos Web protection firewall solutions additionally scan the encrypted traffic. After receiving the data from Salesforce, the Docomotion engine renders the document and sends it back directly to Salesforce. Docomotion does not store any customer data. The output is generated on the fly and after sending back the document to Salesforce, no data is stored in our servers.
Data Access Security
Users can access the internet based on their privileges in the policy, using a URL filter (based on zone criteria). The access level is defined by Docomotion management.
Remote connection to the Docomotion’s offices is only available to approved personnel, using Check Point secured VPN.
Encryption is part of Docomotion’s layered security solution and complements other security features such as SSL/TLS1.2 and Amazon S3’s Server-Side Encryption.
Secure communication of sensitive data is of the utmost importance. Docomotion’s system architecture and hosted applications use industry-standard encryption methodologies including, SSL Certificates with 2048bit digital signatures and 256bit encryption for all HTTP throughput including. All metadata and outputs (in synchronic flows) are stored encrypted with 1024 key RSA algorithm
The Docomotion can store the encrypted data based temporarily based on the certain generation scenario’s as described in detail in the Docomotion support portal, the time period can be configured by the Salesforce administrator in Docomotion app.
For details, see EDITING THE OUTPUT EXPIRATION PERIOD FOR ASYNCHRONOUS GENERATION and EDITING THE LINK EXPIRATION DATE on our support portal.
The Salesforce security review helps protect Docomotion against potential vulnerabilities.
Data and information security is a key priority for Docomotion and we are proud to announce our certification of compliance with the requirements of ISO/IEC 27001:2013 and 27018: 2013.
The official accreditations of those ISO certifications:
Our security internal processes include the following procedures:
- SSDLC – Secure code training and testing
- Annual penetration tests by a 3rd party security expert
- Salesforce Scanner – ongoing scanning.
The Force.com Source Scanner scanned 1.23 billion lines of code across 41,378 scans and prevented 4.43 million potential security issues in FY17. In 2017 Salesforce increased capacity on the scanner from 100 scans per day to 3,000 scans per day, which drastically reduced wait times. In addition to providing support for issue types such as CRUD/FLS and JS-based issues, Salesforce also increased the maximum scanned lines of code from 750k to 2.5 million. This enables partners, such as Docomotion, to scan very large packages and find instances with additional issue types. The scanner reports were enhanced, providing a concise, more readable format.
- Ongoing Vulnerability assessments
Additional Security Insights
Additional security insights of Docomotion’s architecture address GDPR Art. 32 GDPR article, Docomotion is committed to the GDPR requirements to be full GDPR ready solution.
Data, Privacy, Backup and Restoration Policy
Docomotion’s SaaS data systems are based on AWS and designed to prevent customers from accessing physical hardware layers, hosts, or instances through the use of user’s authentication, IP restriction, etc.
Backups are stored in multiple secure locations and updated throughout the night, every day where applicable.
A real-time audit log is kept of all administrative data changes and Docomotion monitors and reacts to suspicious activities.
Data Redundancy, Backups & Data Restoration
Docomotion’s SaaS architecture is designed to maintain the availability of Docomotion products even after physical failure, utility failure, or environmental events occur. Our architecture utilizes AWS features.
- The first line of defense against data loss is the use of MSSQL server high availability and built-in backup solutions.
- Docomotion uses state-of-the-art AWS backup and restoration features.
- User responsibility – Docomotion do not store any data. All the records stored in Salesforce are under the customer responsibility. The input data and generated output are not saved outside of Salesforce unless the customer has specifically approved it for a limited time frame.
In order to provide high availability:
- Different services employ multiple redundant servers across different availability zones with automatic load-balancing and constant monitoring to keep the service available at all times.
- We use the autoscale group, to ensure that the required number of Amazon EC2 instances are running.