Where is the application or system that is being offered hosted including any disaster recovery sites?

Azure - West Europe is the primary region. Zone-redundant backup storage is used which copies BitaBIZ data synchronously across three Azure availability zones in the primary region.

Are there any valid third party security control attestations for certifications (e.g. ISO 27001, SOC 2, IASME) related to the application, system, or service in question? Please provide.

All attestations or certifications are available in Openli Privacy Page

Is there a current cyber insurance policy that would cover any and all instances that could result in interruption in services to Customer? What is its maximum coverage in USD?

No

List any key third party providers (i.e. system development, administration, IT operations, security monitoring, etc.) related to the service, application, or system being offered.

See Data Processor Agreement.

We only supply the legally binding sub-processor list via our DPA contract.

Describe any Customer network connectivity requirements (i.e. virtual private networks, etc.) for the application or system to function. Include any clients or installations required by Customer.

None

Describe any required file exchange or data transfers to/from Customer to/from vendor systems.

None

Describe any ongoing maintenance or operations (including cloud based operations) required for the application or system to function.

Only if activated maintain integration(s) to:

Provide a network diagram(s) of the application or system being offered. If a custom platform is being built, please provide a diagram of the proposed setup.

Is the application or system hosted in a multi-tenant environment? Describe segregation between customers .

It is multi-tenant and segregation between customers is based of api-keys.

Provide internal information security policies and standards.

See Information Security Policy.

Is there a mobile app being offered as part of the service? If so, please describe how users will download and authenticate to the mobile app. Include any differences between mobile app and web or desktop offering.

Download from app stores.

Authenticate via same procedure as on web.

Option to activate biometric login is available only from mobile app.

List all data elements/fields that are captured by the application or system being offered. If prefered, a separate systems document may be provided.

See Data Processor Agreement.

We only supply the legally binding data elements via our DPA contract.

Does the third party develop and create their own AI? (Check if it outsourced to other vendors such as Amazon, Google, or IBM)?

No

Will Customer data be used for machine learning capabilities?

No

Will the AI interact directly with end user?

No

Describe encryption of data in transit and at rest including algorithms and key management.

Data is encrypted at rest with Azure Transparent Data Encryption and in transit. Encryption of data in transit enforced by default using SSL and TLS.

Are backups encrypted?

Yes

Is production data used in non-production systems without sanitizing?

No

Disaster Recovery

Are there formal disaster recovery plans that are regularly tested?

Yes.

Data Retention

Describe your data retention policies as they relate to Customer data.

Point in time backups is stored 1 month, and weekly backups are stored for 2 months on Zone redundant storage (ZRS) on 3 different Azure data centres. Backups can be restored if needed

Authentication - Customer User

Describe how end users (regular and administrative) will authenticate to the application or system. Are there multiple user interfaces?

The same authentication process is used by users and admins.

Authentication - Vendor User

Describe how any vendor users with access to Customer's instance of application or system will authenticate including whether multifactor authentication is required for these vendor users.

Vendors do not have access to BitaBIZ

Multifactor Authentication

Is multifactor authentication available natively within the application or system (i.e. app or text messaging based second factor)? Is this a global setting or is it set on a per-user basis? Can it be enforced as a requirement?

Multifactor authentication is manageable with Customer using SSO

Whitelisting

Is it possible to whitelist access to the application or system being proposed from specific IP addresses, if necessary?

No

Password Settings

Will Customer have the ability to manage password settings and multifactor authentication enablement for Customer users?

Multifactor authentication need to be implemented via Customer Active Directory and is only available if SSO is activated.

Authentication Controls

Are there mechanisms implemented to ensure the following

- Account lockout when the user fails to input the correct password more than 5 times within 30 minutes, account must be disabled for at least 15 minutes and the account owner must be informed.

- Disable accounts after 90 days inactivity.

- Require a Password Reset every 90 days.

Account lockout is set at 5 times and disabled for 5 minutes. Nobody is informed.

No accounts are disabled.

No password reset policy exists.

Session Timeout

Do administrative user sessions timeout after [at most] 20 minutes?

Timeout is set to 11 hours.

Single-Sign-On

Can the application or system be integrated with Single-Sign-On, if necessary? Please specify technologies or standards supported.

Yes. SAML 2.0

Access Lists

Can the application or system facilitate regular user entitlement reviews by providing user access lists on-demand?

Yes. Via Admin role.

Logging

Describe all security event logging (i.e. application, database, system, network) and monitoring including tools (i.e. log aggregator, SIEM, etc.) in place. How long are such logs kept? (BB standards require retention of logs for at least 1 year)

Azure SQL, app service, functions and logic apps logs are kept for 30 days. Azure VM logs are kept indefinitely. Tools for monitoring include Azure Application Insights and Azure Log Analytics workspace.

Monitoring

Is there an intrusion prevention system (IPS) in place? If so, please provide details on which tool(s) and how its alerts are monitored. Please include both network intrusion prevention and application security systems (i.e. web application firewall or WAF).

Intrusion prevention systems include CloudFlare and Azure Defender.

Monitoring

Who is responsible for monitoring security alerts from security systems such as SIEM, IPS, WAF, etc.?

BitaBIZ

Monitoring

Is there a process to notify customers of security incidents involving their data? For example, minimum notification timeframe.

Yes. See Data processor agreement.

The data processor’s notification to the data controller shall, if possible, take place Page 8 of 15

within 48 hours after the data processor has become aware of the personal data

breach to enable the data controller to comply with the data controller’s obligation to

notify the personal data breach to the competent supervisory authority, cf. Article 33

GDPR.

Known Breaches

Have there been any known security breaches, disclosures of PII, alteration or damage of web server content, or denial of service incidents in the last three years?

No

Vulnerability Scanning

Describe vulnerability scanning of applications and infrastructure layers including tools in use and scan frequencies.

Azure Defender scan the system constantly.

Penetration Testing

Describe internal or external third party penetration testing including frequency and scope. If separate application and infrastructure testing was conducted, please provide both most recent.

We focus on the OWASP Top 10 and CWE/SANS 25 reports of the most critical risks for web application security. We will use the best-in-breed application security testing tool Burp Suite Professional as our main tool.

The tests will be performed by an external provider.

Microsoft Security Assessment

Microsoft Security Assessment standard

The Microsoft Security Assessment will be done annually and executed by Microsoft

Privacy by design and default

Please describe how you ensure that privacy by design and default is incorporated into all of the it-systems, services, products and/or processes that are being developed in your organization and that contains personal data

Ensuring Privacy by Design and Default in IT Systems, Services, Products, and Processes

Our organization incorporates privacy by design and default principles throughout the lifecycle of all IT systems, services, products, and processes that involve personal data. Below are the key steps and practices we follow to ensure compliance with privacy regulations and to safeguard personal data:

Risk owners

Does your organization have owners appointed towards each identified risk, and has it been ensured that these owners continuously determine how they want to manage their risk through e.g. implementing and establishing security controls?

Yes

InfoSec and privacy processes

Do you have effective processes in place ensuring that information security and privacy is considered and built into the lifecycle of all projects being developed in your organization?

Yes

Principle of least privilege

Are the access rights of your employees restricted to the work they need to conduct, and do you regularly check that access rights are based on the principle of least privilege?

Yes

Password requirements description

Please describe the requirements to passwords (user credentials) which your organization has implemented, e.g. the minimum amount of characters, requirements to uppercase and lowercase, frequency regarding change of password etc.

Manuel login: Minimum password length: 8

SSO login: PW requirements managed by Customer

Blocking access after login-attempts

Is it ensured that only a certain number of login-attempts can be carried out on applications where Customer's data is stored? How many login-attempts can be carried out before the user is blocked and can't try to login for a period of time?

OK

Asset inventory

Do you have an asset inventory in which all information assets are registered, categorized and assigned ownership?

Yes

Ownership assets

Do all assets have clearly defined owners who are aware of their responsibilities for the lifecycle of those assets?

Yes

Acceptable use policy

Do you have policies, procedures and/or guidelines in place informing employees about how to use each asset, e.g. an acceptable use policy?

Yes

Encryption at rest

Is Customer's data encrypted when it is stored on your servers, i.e. encryption-at-rest? If yes, which encryption mechanism is used for this, and if no, why is encryption at rest not considered necessary?

Yes

Access to encryption keys

Has it been ensured that the administration of encryption keys has been assigned to capable employees and that access to the keys is strictly restricted to employees with a work-related need?

Yes

Malware protection

Do you have a formalized process in place to ensure that virus-scanning is conducted systematically, and that hos- and network-based systems are used, and that these are fully incorporated into an incident response-process? And do you evaluate and report on the effectiveness of this process regularly?

Microsoft Defender monitors all apps for antimalware software.

Malware Defenses

Provide details on whether antimalware software and host intrusion detection systems (HIDS) are installed on all servers hosting Customer data including tools in use, and how definitions are kept up to date.

Microsoft Defender monitors all apps for antimalware software.

Backup policy

Do you have a backup policy?

Yes

Backups - total

Do you have a formalized process in place to ensure that critical systems are identified, and that it is determined how often backups should be performed of these systems, and how often backups should be tested? And do you evaluate and report on the effectiveness of this process regularly?

Yes

Disaster recovery site (backup)

Are backups stored in a secure location which is separated from the primary site, and is the access to these backups restricted to employees with a work-related need?

Point in time backups is stored 1 month, and weekly backups are stored for 2 months on Zone redundant storage (ZRS) on 3 different Azure data centres. Backups can be restored if needed

Please elaborate on how you protect yourselves from ransomware-attacks, e.g. by using immutable backups, offline-backups etc.

Do you have measures in place to protect yourselves from a ransomware-attack whereby large chunks of your data becomes inaccessible? What are these measures?

Geographically Distributed Backups:

Backups are replicated across multiple locations to safeguard against localized attacks or disasters.

Firewall and Network Segmentation:

Firewalls and network segmentation limit the lateral movement of ransomware within the organization. Critical systems are isolated to reduce exposure.

Software Updates:

All systems, including operating systems, applications, and firmware, are regularly updated to address vulnerabilities exploited by ransomware.

Employee training

Zero Trust Architecture

Vulnerability scanning

Penetration scanning

Event logs

Do you maintain, and regularly review, event logs?

Yes

Log of admin activities

Do you have procedures for controlling the installation of software on operational systems?

Yes

Software on Operational Systems

Do you have procedures for controlling the installation of software on operational systems?

Yes

Patch management

Do you have an effective patch management program in place which includes evaluating patches, testing patches, approving patches, deploying patches and verifying patches?

Yes

Network topology

Do you document and maintain a network topology and is your production environment secured using firewalls?

Yes

Segregation of networks

Are all networks separated to support healthy environments, with the production network being separated from the internal network?

Yes