Keeping your information safe, available and strong
The hosting of the Scanmarket eSourcing Platform is outsourced to TDC Hosting, one of the most experienced hosting centers in Europe. The hosting provider is audited yearly following ISAE 3402 type 2 and they are also ISO 27001 certified. The latest audit report is available upon request.
The service includes:
Servers are virtualized using VMware and hosted on multiple physical servers with automatic failover. Storage is provided by a high performance SAN.
The datacenter is built to the highest standards, with fully redundant power and cooling and strict access controls in place to ensure a very secure environment.
All data is backed up daily, with one weekly full-backup and daily incremental backups. Database log files are backed up hourly.
Data retention is 30 days. Backed up data is stored both on-premises and off-premises in one of the hosting providers other datacenter locations. All data is kept within Denmark.
When upgrading the server hardware, all hard drives are magnetically destroyed and the internal hard drive platters are shredded.
External attacks, like DDoS attacks, are detected and mitigated efficiently when they occur ensuring a minimum of downtime.
The application uses Windows Forms Authentication. All users must login to the system using a unique username and password. Once their login attempt is successful an “AuthenticationToken” (AT) is created for their user session. This AT indicates precisely which permissions the user has in the system.
On any request for a page or control it is verified that the AT has permissions to see the requested content. If not the user is immediately logged out from the system and given the message that access was denied.
This ensures that:
All sensitive data is stored encrypted in the database. Each customer has their own unique encryption key which ensures one customer cannot access another customer’s data. The encryption is performed using AES with a 256bit key in CFB mode.
All database access is performed through the ORM framework or a secure query engine, eliminating the risk of SQL injection attacks.
All requests are validated for correct rights before data is returned or modified.
A yearly penetration test is performed by nSense, a highly skilled security company, and any findings are corrected immediately. nSense is certified by the PCI Security Standards Council as an Approved Scanning Vendor, Qualified Security Assessor, and Payment Application Qualified Security Assessor. The latest summary is available to customers upon request.
Before any change is made in the Scanmarket strategic sourcing platform, the complete change is verified by highly qualified Quality Assurance Personnel ensuring highest possible stability and security in the application. The security testing includes, but is not limited to, testing against malicious requests and malicious input, including possible cross-site scripting attacks.
Scanmarket has a testing and a staging platform that is 100% disconnected from the live servers, so no customer data is available at the test setup. All new features are tested first on the test server and later on the staging server before they are released into production.