Area

Question

Answer

Hosting

Where is the application or system being offered hosted, including any disaster recovery sites?

Azure - West Europe is the primary region. Zone-redundant backup storage is used, which synchronously copies Bitabiz data across three Azure availability zones in the primary region.

Attestations or Certifications

Are there any valid third-party security control attestations or certifications (e.g. ISO 27001, SOC 2, IASME) related to the application, system, or service in question?

All attestations or certifications are available on the Openli Privacy Page.

Cyber Insurance

Is there a current cyber insurance policy that would cover any and all instances that could result in interruption in services? What is the maximum coverage in DKK?

BitaBIZ holds cyber insurance with RiskPoint, which includes designated cyber crisis responders/advisors: 1. Truesec 2. Nviso and 3. Kammeradvokaten

Current coverage DKK 5 million.

Key Third Parties

List any key third-party providers (e.g. system development, administration, IT operations, security monitoring, etc.) related to the service, application, or system being offered.

See the Data Processor Agreement.

We only provide the legally binding sub-processor list via our DPA.

Connections

Describe any Customer network connectivity requirements (e.g. virtual private networks, etc.) for the application or system to function. Include any clients or installations required by Customer.

None

Data Transfer

Describe any required file exchange or data transfers to/from Customer to/from vendor systems.

None

On-Going Support

Describe any ongoing maintenance or operations (including cloud-based operations) required for the application or system to function.

Only if integration(s) are activated with:

Network Design

Provide a network diagram(s) of the application or system being offered. If a custom platform is being built, please provide a diagram of the proposed setup.

Data Segregation

Is the application or system hosted in a multi-tenant environment? Describe segregation between customers.

It is multi-tenant and segregation between customers is based on API keys.

Information Security Policies

Provide internal information security policies and standards.

See Information Security Policy.

Mobile App

Is there a mobile app being offered as part of the service? If so, please describe how users will download and authenticate to the mobile app. Include any differences between mobile app and web or desktop offering.

Download from app stores.

Authenticate via the same procedure as on the web.

Option to activate biometric login is available only from the mobile app.

Data Elements

List all data elements/fields that are captured by the application or system being offered. If preferred, a separate systems document may be provided.

See the Data Processor Agreement.

We only provide the legally binding data elements via our DPA.

AI Development/Outsourcing

Does the third party develop and create their own AI?

No

Data-Machine Learning

Will Customer data be used for machine learning capabilities?

No

AI Interaction Interface

Will the AI interact directly with the end user?

No

Encryption

Describe encryption of data in transit and at rest including algorithms and key management.

Data is encrypted at rest with Azure Transparent Data Encryption and 'in transit'.

Data at rest also has SSE (Server-Side Encryption) enabled.

Encryption of data in transit is enforced by default using SSL and TLS.

Backups

Are backups encrypted?

Yes

Data Copies

Is production data used in non-production systems without sanitizing?

No

Disaster Recovery

Are there formal disaster recovery plans that are regularly tested?

Yes.

Data Retention

Describe your data retention policies as they relate to Customer data.

PIT - Point in time backups are stored for 1 month, and weekly backups are stored for 2 months on zone-redundant storage (ZRS) across 3 different Azure data centers. Backups can be restored if needed.

PITR (Point in Time Restore) backup every 1 hour.

Authentication - Customer User

Describe how end users (regular and administrative) will authenticate to the application or system. Are there multiple user interfaces?

The same authentication process is used by users and admins.

Authentication - Vendor User

Describe how any vendor users with access to Customer's instance of application or system will authenticate, including whether multifactor authentication is required for these vendor users.

Vendors do not have access to BitaBIZ

Multifactor Authentication

Is multifactor authentication available natively within the application or system (e.g. app or text messaging based second factor)? Is this a global setting, or is it set on a per-user basis? Can it be enforced as a requirement?

Multifactor authentication is manageable by the Customer using SSO.

Whitelisting

Is it possible to whitelist access to the application or system being proposed from specific IP addresses, if necessary?

It is possible by using Cloudflare and/or Azure NSG (Network Security Group). For example, BitaBIZ is not accessible from IP addresses in Russia and Belarus.

Password Settings

Will Customer have the ability to manage password settings and multifactor authentication enablement for Customer users?

Multifactor authentication needs to be implemented via Customer Entra ID (previously Active Directory) and is only available if SSO is activated.

Authentication Controls

Are there mechanisms implemented to ensure the following

- Account lockout when the user fails to input the correct password more than 5 times within 30 minutes, account must be disabled for at least 15 minutes, and the account owner must be informed.

- Disable accounts after 90 days inactivity.

- Require a Password Reset every 90 days.

Account lockout is set at 5 attempts and disabled for 5 minutes. Nobody is informed.

No accounts are disabled.

No password reset policy exists.

Session Timeout

Do administrative user sessions timeout after [at most] 20 minutes?

Timeout is set to 335 hours/14 days as requested by our customers.

Single-Sign-On

Can the application or system be integrated with Single-Sign-On, if necessary? Please specify technologies or standards supported.

Yes. SAML 2.0

Access Lists

Can the application or system facilitate regular user entitlement reviews by providing user access lists on demand?

Yes. Via Admin role.

Logging

Describe all security event logging (i.e. application, database, system, network) and monitoring including tools (i.e. log aggregator, SIEM, etc.) in place. How long are such logs kept? (BB standards require retention of logs for at least 1 year)

Azure SQL, app service, functions, and logic app logs are kept for 30 days. Azure VM logs are kept indefinitely. Tools for monitoring include Azure Application Insights and Azure Log Analytics workspace.

Monitoring

Is there an intrusion prevention system (IPS) in place? If so, please provide details on which tool(s) and how its alerts are monitored. Please include both network intrusion prevention and application security systems (i.e. web application firewall or WAF).

Intrusion prevention systems include Cloudflare and Azure Defender.

Monitoring

Who is responsible for monitoring security alerts from security systems such as SIEM, IPS, WAF, etc.?

BitaBIZ

Monitoring

Is there a process to notify customers of security incidents involving their data? For example, minimum notification timeframe.

Yes. See the Data Processor Agreement.

The data processor’s notification to the data controller shall, if possible, take place Page 8 of 15

within 48 hours after the data processor has become aware of the personal data

breach to enable the data controller to comply with the data controller’s obligation to

notify the personal data breach to the competent supervisory authority, cf. Article 33

GDPR.

Known Breaches

Have there been any known security breaches, disclosures of PII, alteration or damage of web server content, or denial of service incidents in the last three years?

No

Vulnerability Scanning

Describe vulnerability scanning of applications and infrastructure layers including tools in use and scan frequencies.

Azure Defender scans the system constantly.

Penetration Testing

Describe internal or external third-partypenetration testing including frequency and scope. If separate application and infrastructure testing were conducted, please provide both results.

We focus on the OWASP Top 10 and CWE/SANS 25 reports of the most critical risks for web application security. We will use the best-in-breed application security testing tool Burp Suite Professional as our main tool.

The tests will be performed by an external provider.

Microsoft Security Assessment

Microsoft Security Assessment standard

The Microsoft Security Assessment will be done annually and executed by Microsoft

Privacy by design and default

Please describe how you ensure that privacy by design and default is incorporated into allit-systems, services, products and/or processes that are being developed in your organization and that contains personal data

Ensuring Privacy by Design and Default in BB Systems, Services, Products, and Processes

Our organization incorporates privacy by design and default principles throughout the lifecycle of all IT systems, services, products, and processes that involve personal data. Below are the key steps and practices we follow to ensure compliance with privacy regulations and to safeguard personal data:

1. Embedding Privacy from the Outset

2. Implementing Technical and Organizational Measures

Risk owners

Does your organization have owners appointed towards each identified risk, and has it been ensured that these owners continuously determine how they want to manage their risk through e.g. implementing and establishing security controls?

Yes

InfoSec and privacy processes

Do you have effective processes in place ensuring that information security and privacy is considered and built into the lifecycle of all projects being developed in your organization?

Yes

Principle of least privilege

Are the access rights of your employees restricted to the work they need to conduct, and do you regularly check that access rights are based on the principle of least privilege?

Yes

Password requirements description

Please describe the requirements for passwords (user credentials) that your organization has implemented, such as minimum character length, requirements for uppercase and lowercase letters, how often passwords must be changed, etc.

Manual login: Minimum password length: 8

SSO login: PW requirements managed by Customer

Blocking access after login-attempts

Is there a limit to the number of login attempts allowed on applications where Customer's data is stored? How many attempts are allowed before the user is blocked and can't try to log in for a period of time?

OK

Asset inventory

Do you have an asset inventory where all information assets are registered, categorized, and assigned an owner?

Yes

Ownership assets

Do all assets have clearly defined owners who are aware of their responsibilities throughout the asset's lifecycle?

Yes

Acceptable use policy

Do you have policies, procedures, and/or guidelines in place to inform employees about how to use each asset, such as an acceptable use policy?

Yes

Encryption at rest

Is Customer's data encrypted when stored on your servers (encryption-at-rest)? If yes, what encryption method is used? If not, why is encryption at rest not considered necessary?

Yes

Access to encryption keys

Is the management of encryption keys assigned to qualified employees, and is access strictly limited to those who need it for their work?

Yes

Malware protection

Do you have a formal process to ensure systematic virus scanning, use of host- and network-based systems, and integration with your incident response process? Do you regularly evaluate and report on the effectiveness of this process?

Microsoft Defender monitors all apps for antimalware software.

Malware Defenses

Please provide details on whether antimalware software and host intrusion detection systems (HIDS) are installed on all servers hosting Customer data, including which tools are used and how definitions are kept up to date.

Microsoft Defender monitors all apps for antimalware software.

Backup policy

Do you have a backup policy?

Yes

Backups - total

Do you have a formal process to identify critical systems, determine how often backups should be performed and tested, and do you regularly evaluate and report on the effectiveness of this process?

Yes

Disaster recovery site (backup)

Are backups stored securely in a location separate from the primary site, and is access limited to employees with a work-related need?

Point in time backups are stored for 1 month, and weekly backups are stored for 2 months on Zone redundant storage (ZRS) across 3 different Azure data centers. Backups can be restored if needed

PITR (Point in Time Restore) is backed up every 1 hour.

Please elaborate on how you protect yourselves from ransomware attacks, e.g. by using immutable backups, offline backups, etc.

Do you have measures in place to protect against ransomware attacks that could make large amounts of your data inaccessible? What are these measures?

Geographically Distributed Backups:

Backups are replicated across multiple locations to protect against local attacks or disasters.

Firewall and Network Segmentation:

Firewalls and network segmentation limit the spread of ransomware within the organization. Critical systems are isolated to reduce risk.

Software Updates:

All systems, including operating systems, applications, and firmware, are regularly updated to fix vulnerabilities that ransomware could exploit.

Employee training

Zero Trust Architecture

Vulnerability scanning

Penetration scanning

Event logs

Do you maintain and regularly review event logs?

Yes

Log of admin activities

Do you have procedures for controlling software installation on operational systems?

Yes

Software on Operational Systems

Do you have procedures for controlling software installation on operational systems?

Yes

Patch management

Do you have an effective patch management program that includes evaluating, testing, approving, deploying, and verifying patches?

Yes

Network topology

Do you document and maintain your network topology, and is your production environment protected by firewalls?

Yes

Segregation of networks

Are all networks separated to maintain secure environments, with the production network separated from the internal network?

Yes