Platform security

Zudello Platform Security

Zudello's experienced team and external advisors deliver the highest level of Platform Security through a continuous improvement, defence-in-depth approach and alignment with recognised standards and frameworks.

Zudello Platform security overview

Zudello’s platform has been designed and developed utilising industry recognised “defencein depth” methodologies for security, risk management and compliance. Zudello’s team includes experts in cybersecurity and compliance with global experience.

Zudello’s platform is built around 3 core principles - Stability, Scalability and Security. All are critically important to our customers and are built into our strategic, development, support and cloud infrastructure plans.

The Zudello platform is independently certified compliant to the global standard for Information Security ISO27001.

All Zudello services are delivered* from multiple highly secure AWS (Amazon Web Services) datacentres around the world. The AWS Global Cloud Infrastructure is the most secure,extensive, and reliable cloud platform, offering over 200 fully featured services from datacentres globally. For the tenth year in a row, AWS was evaluated by Gartner as the Leader in the 2021 Gartner Magic Quadrant for Cloud Infrastructure and Platform Services.This ensures all levels of security - physical, infrastructure, access, data and availability.Furthermore, this cloud environment is built for performance, scalability and flexibility - core tenets of Zudello’s strategic plan.

At a local level, all Zudello staff are fully vetted prior to employment and all appropriate security protocols are implemented around their devices, work environments and practices.

Zudello’s experienced team

Zudello’s team includes an executive team with broad experience in the cloud, security and platform world.

Datacentre infrastructure

Zudello follows AWS’s best practice recommendations for Security, Identity Management, & Compliance in the Cloud. This includes the use of the latest AWS tools and services such as AWS Security Hub, AWS Identity and Access Management, Elastic Load Balancers and AWS GuardDuty. Our core platform is built on top of the hyper-scalable hardened Kubernetes platform.

Our services are fully audited by CloudWatch. CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides data and actionable insights to monitor how applications respond to system-wide performance changes, optimise resource utilisation, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, providing us with a unified view of AWS resources,applications, and services that run on AWS and on-premises servers. We use CloudWatch to detect anomalous behaviour in our environments, set alarms, visualise logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep our applications running smoothly.

Formal standards

Through our use of AWS datacentres and cloud services we offer our customers and partners the ultimate level of security, resilience and compliance with local legislation in each geography we operate in. We adopt optional additional programs offered through AWS’s ecosystem to further enhance the protection of our services and data.Through this our Security, Risk and Compliance frameworks are designed to leverage the AWS Shared Responsibility Model. Zudello builds on the below global certifications and standards from AWS to deliver a secure platform and operating experience for customers, including the following global AWS certifications / attestations:

• CSA
• CyberGRX
• ISO9001
• ISO27001
• ISO27017
• ISO27701
• ISO27018
• PCI DSS Level 1
• SOC 1
• SOC 2
• SOC 3

Zudello also aligns with the following programs through our AWS infrastructure and services:

• CJIS
• EU-US Privacy Shield
• FinTech Japan
• FISC
• FISMA
• G-Cloud
• GxP (FDA CFR 21 Part 11)
• HITRUST
• Medical Information Guidelines - Japan
• MPAA
• NISC - Japan
• NIST
• UK Cloud Security Principles
• Uptime Institute Tiers

Our services benefit from alignment with the following privacy principles and legislative guidelines:

• Cloud Computing Compliance Controls Catalog (C5)
• Cloud Infrastructure Services Providers in Europe (CISPE)
• EU Data Protection
• EU-US Privacy Shield
• General Data Protection Regulation (GDPR)
• Australia Data Privacy
• New Zealand Data Privacy

Furthermore, the physical access to all our datacentres is tightly controlled by Amazon with multiple layers of security, controls and active monitoring. This is backed up by the AWS24x7 Security Operations Centres which monitor, triage and execute security programs for our data centres.

The infrastructure layer is also a multi-layered, highly secure environment with highly restricted access and security protocols. Advanced diagnostics are continuously run across all infrastructure (including networks) together with regular maintenance programs.All services are designed and built with redundancy in mind across water, power, telecommunications and internet connectivity.

The data layer is the most secure layer and protected by threat and electronic intrusion detection systems with real-time alerting to align with best practise legal and compliance requirements. All storage devices are managed in accordance with exacting standards including NIST 800-88 for secure decommissioning and disposal. These systems and processes are audited by external auditors against over 2,600 stringent tests throughout the year.

The environmental layer is designed to withstand natural disasters and fire using the latest automated technology such as fire detection and suppression equipment and backed up by multiple Availability Zones in case of need for total business continuity in the face of a disruption event.

Application hardening is supported through automatic and manual methods based on Centre for Internet Security (CIS) benchmarks.

Business continuity plans and disaster recovery plans for our datacentres can be provided on request.

Application Security

All Zudello public web application communications are encrypted over secure TLS, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions. All data for Zudello is encrypted at rest using AES-256 encryption.

Zudello is not eligible for PCI compliance as it does not store payment card information.

Zudello actively monitors ongoing security, performance and availability 24/7/365. We run automated security testing on an ongoing basis. We also contract a third party for regular penetration testing.

Other practical security measures we take:

Zudello adopts further systems and follows a number of additional processes to help secure customers’ environments and data. Our security is based on the following 13 essential layers:

• ACL - Account access is limited to your team which you control.
• Role-based security - allowing for the separation of privileges by user role.
• Two-factor authentication - is supported and can be enforced across your team.
• TLS and Encryption in transit and at rest - your connection to and your data stored by Zudello is encrypted at all times, in transit (using TLS) and at rest (using industry-standard AES-256 encryption algorithm).
• Application security - the application uses AWS ELB (Elastic Load Balancer) which provides desync mitigation, invalid header filtering and monitoring to automatically protect against intrusion, DDOS and other methods of attack.
• Vulnerability testing - We regularly scan our services for internal review and remediation.
• Dependency vulnerability assessment - Dependent packages are regularly reviewed for new security threats and appropriate remediation action is taken.
• Audit log - Provides the client with a detailed trail of account for all document activity.
• Location - all data uploaded into Zudello is kept locally and is stored across multiple data centres for DR.
• Restricted Access - we restrict access to the various layers of our platform.
• Incident Management - our incident management, mandatory data breach and crisis and business continuity processes are designed to provide reassurance to our partners and customers of our ability to respond quickly and effectively to any threat.
• Software development practices - we follow industry best practices for SDLC including secure coding practices and the OWASP top 10.
• Middleware controls - when customers use middleware connections to our services these only call out to our services on customer initiation, ensuring no network vulnerabilities are opened up through port opening, etc.

Further internal controls are governed by our policies and processes such as BYOD, acceptable use policy, change control processes, risk register and board reporting.

As part of our ISO27001 Compliance Program we are committed to regular third party security testing of the environment and application and will reasonably remediate any serious risks that are identified. We conduct regular internal audits of all security and threat vectors.

We also rely on third party security testing of the environment and application and remediate and manage risks that are identified. We conduct regular internal audits of all security and threat vectors.

*Based on our global cloud infrastructure with AWS services.