SCANMARKET

HOSTING AND BACKUP


Hosting

The hosting of the Scanmarket eSourcing Platform is outsourced to TDC Hosting, one of the most experienced hosting centers in Europe. The hosting provider is audited yearly following ISAE 3402 type 2 and they are also ISO 27001 certified. The latest audit report is available upon request.

The service includes:

  • 24x7x365 monitoring, maintenance and correction of hardware and software
  • Continuous patching and fixes
  • 1 GB redundant Internet connection with redundant Checkpoint 1 firewall setup


Servers are virtualized using VMware and hosted on multiple physical servers with automatic failover. Storage is provided by a high performance SAN.

The datacenter is built to the highest standards, with fully redundant power and cooling and strict access controls in place to ensure a very secure environment.


Backup

All data is backed up daily, with one weekly full-backup and daily incremental backups. Database log files are backed up hourly.

Data retention is 30 days. Backed up data is stored both on-premises and off-premises in one of the hosting providers other datacenter locations. All data is kept within Denmark.

SECURITY


Safety Measures

When upgrading the server hardware, all hard drives are magnetically destroyed and the internal hard drive platters are shredded.


External Attacks

External attacks, like DDoS attacks, are detected and mitigated efficiently when they occur ensuring a minimum of downtime.


Authentication

The application uses Windows Forms Authentication. All users must login to the system using a unique username and password. Once their login attempt is successful an “AuthenticationToken” (AT) is created for their user session. This AT indicates precisely which permissions the user has in the system.

On any request for a page or control it is verified that the AT has permissions to see the requested content. If not the user is immediately logged out from the system and given the message that access was denied.

This ensures that:

  1. Users are only able to see eRFxs, contracts, supplier data, and eAuctions from within their own organization

  2. Suppliers are only able to see the information that is related to the Event they are invited to and they never see private information entered by the event manager

  3. Spectators and stakeholders can only see information on the event or contract to which they are invited



Encryption

All sensitive data is stored encrypted in the database. Each customer has their own unique encryption key which ensures one customer cannot access another customer’s data. The encryption is performed using AES with a 256bit key in CFB mode.


General Security

All database access is performed through the ORM framework or a secure query engine, eliminating the risk of SQL injection attacks.

Most user input is generally encoded so it can be displayed safely. This protects against cross-site scripting or JavaScript injection attacks. Where the user is able to enter rich text input, the resulting mark-up is sanitized.

All requests are validated for correct rights before data is returned or modified.


Penetration Testing

A yearly penetration test is performed by nSense, a highly skilled security company, and any findings are corrected immediately. nSense is certified by the PCI Security Standards Council as an Approved Scanning Vendor, Qualified Security Assessor, and Payment Application Qualified Security Assessor. The latest summary is available to customers upon request.

Quality Assurance and Security Testing

Before any change is made in the Scanmarket strategic sourcing platform, the complete change is verified by highly qualified Quality Assurance Personnel ensuring highest possible stability and security in the application. The security testing includes, but is not limited to, testing against malicious requests and malicious input, including possible cross-site scripting attacks.


Test Environment

Scanmarket has a testing and a staging platform that is 100% disconnected from the live servers, so no customer data is available at the test setup. All new features are tested first on the test server and later on the staging server before they are released into production.