Security policy

Step SaaS is operated by exense GmbH. Throughout the site and this policy, the terms “we”, “us” and “our” refer to exense GmbH. As the provider of Step SaaS, exense GmbH is committed to ensuring the security and integrity of the platform and its users’ data. This Security Policy outlines the measures and procedures we have implemented to protect against unauthorized access, disclosure, alteration, or destruction of data. By using Step SaaS, you agree to adhere to the security guidelines and policies outlined in this document.

Safeguarding your data is our top priority. We ensure:

Confidentiality: Your data is encrypted in transit, accessible through advanced authentication only to authorized users.

Integrity: Rigorous checks prevent unauthorized alterations to your data.

Availability: Redundant infrastructure and robust disaster recovery measures ensure uninterrupted access.

Confidentiality

Data Encryption

For data in transit, we use the HTTPS protocol. HTTPS encrypts data during transmission, ensuring that any information exchanged between your device and our servers remains secure and confidential. For further details on HTTPS, you can refer to the Cloudflare guide on HTTPS (https://www.cloudflare.com/learning/ssl/what-is-https/).

For the safety of stored data, we rely on the security measurements taken by GCP (Google Cloud Platform), our cloud provider

Physical Data Storage

Our data is stored in secure, SOC-compliant data centers located in Switzerland, Google Cloud zone Zurich (europe-west6). These facilities adhere to industry-leading standards for physical security, including access controls, surveillance, and environmental controls.

Compliance and Regulations

We prioritize the security of our customers’ data and strive to maintain robust processes and controls to safeguard sensitive information. While we do not directly conduct annual third-party verifications of our data security practices, we rely on the compliance offerings provided by our cloud service provider, Google Cloud.

Google Cloud maintains a comprehensive compliance program that includes certifications such as Service Organization Control (SOC) reports, Payment Card Industry (PCI) compliance reports, and International Organization for Standardization (ISO) reviews (ISO 27001/27002). These certifications, for which information can be found directly at https://cloud.google.com/security/compliance/offerings, attest to the effectiveness of Google Cloud’s security measures and its adherence to industry-recognized standards.

For the specific services utilized by exense GmbH, namely Compute Engine and Cloud Storage, we leverage Google Cloud’s compliance offerings to ensure the security and integrity of our infrastructure and data storage solutions. The SOC 2 report provided by Google Cloud, which can be accessed directly at https://cloud.google.com/security/compliance/soc-2, provides valuable assurance regarding the security, availability, and confidentiality of the services we rely on.

By leveraging the compliance offerings of our cloud service provider, we can ensure that our data security practices align with industry best practices and standards, providing our customers with confidence in the security of their data.

Access Control

Step instances are provisioned and managed using Kubernetes, adhering to the Kubernetes security standard for restricted profiles. Access is limited to HTTPS on port 443. In the standard SaaS offering, no firewall rules are implemented, making the web applications (Step portal, Step instance) publicly accessible. However, for the customizable enterprise cloud offering, firewall rules can be configured to allow or block specific ranges of IP addresses.

Access to the Step SaaS portal is limited to registered members of your organization. You have the authority to manage and revoke access for these members and update passwords as needed, ensuring they meet your password complexity requirements. Similarly, access to your Step instance is governed by user/password authentication, allowing you to register and oversee Step users. You have the flexibility to grant restricted access rights to these users by assigning predefined roles.

As long as our services are operational, you retain control over your instance, including the ability to access your data or initiate instance destruction, which results in the deletion of all underlying data.

In the event of our business closure, we will provide advance notice and ensure the deletion of all Step SaaS instances. However, if we are unable to perform these tasks, our cloud provider will undertake the deletion of the infrastructure and all associated data.

Deletion Practices

All data, including scripts, parameters, plans, and test data, uploaded or defined within your dedicated instance of Step, remain isolated within that instance. Upon decommissioning of the instance, all data within it is systematically deleted. A Step instance is a dedicated Kubernetes namespace, and is not shared with other instances.

Third-Party Services and Partners

We use Stripe for payment processing, ensuring secure and reliable transactions. Stripe maintains rigorous security measures to safeguard sensitive payment information. For further information on Stripe’s security practices, please refer to their documentation at https://docs.stripe.com/security.

Integrity

Infrastructure Security

Step instances are initiated by your organization through the Step portal, and the provisioning process is fully automated and managed by exense. Each Step instance is isolated, ensuring that no unauthorized modifications can be made.

We depend on Google Cloud to address vulnerabilities related to the infrastructure (https://cloud.google.com/kubernetes-engine/docs/resources/security-patching). Additionally, our software undergoes regular vulnerability scans, and any identified vulnerabilities are promptly patched as needed.

Incident Response and Recovery Mechanisms

Any suspected or identified breach is promptly reported to our designated security personnel. Breaches involving a SaaS instance are then reported to the registered organization owner of the affected instance.

Disaster recovery for Step instances heavily relies on our cloud provider, Google Cloud Platform. Step instances automatically recover from server or software crashes and network issues, which is validated through regular destruction tests. In the unlikely event of data loss by our cloud provider, recovery of the Step SaaS instance may not be possible due to the lack of backup or redundancy. In such cases, a new Step instance would be provisioned. However, backups are available with our enterprise cloud offer.

Continuous Improvement and Updates

We conduct ongoing scans for software vulnerabilities and promptly address critical issues as they are identified.

Our policies and procedures are regularly reviewed and updated to align with changes in our data environment, regulations, and emerging threats.

We cultivate a culture of data security awareness and accountability, ensuring that all individuals understand their roles and responsibilities in protecting data and complying with policies and procedures.

Availability

Data Backup

Backups are not conducted for the Step SaaS offering. For Step SaaS Enterprise, backup requirements and frequency can be individually discussed with our sales team. Data is stored on Google Cloud Platform (GCP), and access control measures align with GCP security standards. Data encryption is not implemented.

Link to Terms of Use

Link to Privacy Policy

Changes to this Security Policy

We may update this Security Policy from time to time by posting a revised version on our website. We encourage you to review this Security Policy periodically for any changes.

Contact Us

If you have any questions or concerns about our Security Policy or our data practices, please contact us at security@exense.ch.