Data & Information Security at Assent

Encryption

Data in Transit: Internet communications are encrypted via HTTPS, SFTP, and TLS.

Data at Rest: Customer data is secured using AES.

Separate Environments (DEV, QA, Staging, UAT, PROD): Development, testing, and staging environments are separated from the production environment, both physically and logically.

Data Segregation: All customer data is segregated by state-of-the-art security controls that can only be accessed by designated individuals with unique credentials and privileges. Additionally, separate SFTP directories are created for each customer to enable data transfer to Assent.

Penetration Testing: An independent third party performs annual web and network penetration tests on the production environment. Tests are performed every six months by internal teams.

Application Vulnerability Scanning: An application vulnerability scan is run on every code release before it is pushed to UAT environments. Only code that has passed the scan is moved to production.

Service Provider

Assent’s hosting environment and relevant services are provided by AWS. They have a long history in data security and are used by leaders such as Verizon and Capital One. It carries numerous certifications such as SOC 2 and ISO 9001:2015.

Locations

Assent has two hosting locations available:

• North America: AWS U.S. East — Northern Virginia
• EU: AWS — Frankfurt, Germany

Assent’s network security and structure are key components of Assent’s ongoing data security measures. Clients benefit from the following features:

Intrusion Detection & Prevention: Potential security events are mitigated by intrusion detection and prevention systems (IDS and IPS respectively). These are placed at network entrance and exit points to prevent breaches.

Data Loss Prevention: Assent leverages a layered approach to data loss prevention, using new generation tools and traditional processes.

Architecture: Customer data is kept isolated from edge network traffic through specially designed architecture following high availability and topology practices.

Network Vulnerability Scanning: Regular and extensive vulnerability scans are run on network and endpoint security to ensure they remain effective.

Security Incident Event Management (SIEM): Potential security events are monitored, analyzed, and communicated to Assent’s Security team via a security incident event management solution.

Network Access: Assent’s network is restricted to authorized users and devices.

No matter where data is located, Assent has robust measures to protect and retain data in the event of emergencies. Full backups are performed weekly, while log and differential backups are done hourly, minimizing data loss during unforeseen events.

Similarly, Assent has established disaster recovery (DR) procedures to protect data. Customer data in the production environment is synchronized with the DR site in near real-time. In the event of a disaster, expected data loss will be approximately one hour, with a 30-minute margin. The disaster recovery plan is tested annually.

Barring extreme cases, a four-hour window is anticipated to return to standard operations, should the DR site be required.

Assent’s U.S. disaster recovery site is AWS U.S.-West (Oregon), and its EU disaster recovery site is AWS Ireland.

Security Incident Response: Assent has a documented incident response plan, which is tested annually and covers all aspects of an incident, from detection to post-incident analysis.

Change Management: Production changes are subject to documented testing, validation, and approval.

Two-Factor Authentication: Two-factor authentication is used for administration of the production environment and for remote access to the Assent network.

Continuous Monitoring: All systems are monitored 24/7 for performance and capacity.

Dedicated Security Team: All members of Assent’s Security team hold appropriate security certifications and clearances.

Policies: Assent has a comprehensive set of security policies, based on the ISO 27001 framework, which are reviewed annually. These policies are made available to all personnel with access to Assent information assets.

Training: All new personnel attend security awareness training before gaining network access and are required to complete security awareness training annually thereafter. Additionally, regular phishing simulation tests and awareness training are conducted to train personnel against emerging cyber threats.

Background Checks: Assent performs background and criminal reference checks on all new personnel.

Confidentiality Agreements: All new personnel are required to sign confidentiality agreements.