Data Security @Sustanya
Introduction
Sustanya’s mission is to empower companies and finance sector with simple and relevant ESG reporting. Our software helps you to compile, analize and report ESG data in a fast and simple way.
We are your partners to advance your sustainability digital transformation and disclosure.
Our users trust us to keep their data secure, private, and available whenever they need it. We take that responsibility seriously.
At Sustanya, we maintain a security system that:
Prevents all unauthorized access;
Maintains data integrity and availability; and
Embraces ongoing, proactive improvement to stay on top of the latest security threats.
Organizational Security
Sustanya’s security program is based on the concept of defense in depth: securing our organization, and your data, at every layer. Our security program is constantly evolving with updated guidance and new industry best practices.
Sustanya’s Development team, is responsible for the implementation and management of our security program, which is organised around the following areas: Encryption, Network security and Server Hardening, Access Control, System Monitoring and Logging; Data Retention and Disposal, Disaster Recovery and Business Continuity Plan and Vendor Management.
The focus of Sustanya’s security program is to prevent unauthorized access to customer data. To this end, our team, take steps to identify and mitigate risks, implement best practices, and constantly develop ways to improve.
Data in transit
All data transmitted between Sustanya clients and the Sustanya service is done so using strong encryption protocols. Sustanya supports the recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols and AES256 encryption whenever supported by the clients.
Data at rest
Data at rest in Sustanya’s production network is encrypted using the industry standard AES-256 encryption algorithm, which applies to all types of data at rest within Sustanya’s systems—relational databases, file stores, database backups, etc. All encryption keys are stored in a secure server on a segregated network with very limited access. Sustanya has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
Each Sustanya customer’s data is hosted in our shared infrastructure and logically separated from other customers’ data. We use a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested. The Sustanya service is hosted in data centers maintained by industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure that comprise the Sustanya operating environment. Our infrastructure providers are compliant with rigorous international standards, such as ISO 27017 for cloud security, ISO 27701 for privacy information management, and ISO 27018 for cloud privacy.
Sustanya’s divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Sustanya’s production infrastructure.
Network access to Sustanya’s production environment from open, public networks (the Internet) is restricted, with only a small number of production servers accessible from the Internet.
Provisioning
To minimize the risk of data exposure, Sustanya adheres to the principles of least privilege and role-based permissions when provisioning access—workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. All production access is reviewed at least quarterly.
Authentication
Where possible and appropriate, Sustanya uses private keys for authentication.
Sustanya monitors all servers to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure.
Sustanya hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.
Sustanya retains a full backup copy of production data in a remote location significantly distant from the location of the primary operating environment. Full backups are saved to this remote location at least once per day.
To run efficiently, Sustanya relies on sub-service organizations. Where those sub-service organizations may impact the security of Sustanya production environment, we take appropriate steps to ensure our security posture is maintained by establishing agreements that require service organizations to adhere to confidentiality commitments we have made to users.
If you discover any security vulnerability in Sustanya, please submit a report to info@sustanya.com. and we’ll do our best to fix it right away.
We have a true interest in protecting your data. Every person, team, and organization deserve and expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers, and we continue to work hard to maintain that trust.