We have an Information Security Management System (ISMS) in place to achieve our security objectives and the risks and mitigation concerning all interested parties. We employ strict policies and procedures encompassing customer data security, availability, processing, integrity, and confidentiality.
Each employee or associate, when inducted, signs a confidentiality agreement and Acceptable Use Policy (AUP), after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests to identify gaps. We provide training on specific security aspects that they may require based on their roles.We educate our employees on information security, privacy, and compliance on our internal community platform (digital), where our employees stay updated on Slingr’s ongoing security practices. Finally, we host internal events to raise awareness and drive innovation in security and privacy.
Dedicated security and privacy teams
Our dedicated security team implements and manages our security and privacy programs. This team designs and maintains our security protocols, develops review processes and monitors our networks to detect suspicious activity providing domain-specific guidance to our engineering teams.
Internal audit and compliance
We have a dedicated compliance team to review procedures and policies in Slingr to align them with standards, and to determine what controls, processes, and systems are needed to meet Slingr and clients’ criteria. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.
All workstations issued to Slingr employees run up-to-date OS versions with anti-virus software. Workstations are appropriately configured, patched, tracked, and monitored by Slingr's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and auto-lock when idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
We control access to our building and facilities) including entry and resource utilization using access cards or face recognition. We provide contractors, vendors, and visitors with different access cards that allow access specific to the purpose of their entrance into the premises. The Human Resource (HR) team establishes and maintains the role-specific permissions. We retain access logs to spot and address anomalies.
Our network security and monitoring techniques provide multiple layers of protection and defense. We use firewalls to prevent our network from unauthorized access and undesirable traffic. Our systems are segmented into separate networks to protect sensitive data. We host systems that support testing and development activities on a different network from systems supporting production infrastructure.We monitor firewall access controls on a strict schedule, review any firewall changes daily, and perform a comprehensive review every three months to update and revise rules. Our Network Operations Center team monitors the infrastructure and applications for discrepancies or suspicious activities. We scan crucial parameters using our proprietary tool and trigger notifications in any instance of abnormal or suspicious activities in our production environment.
Network and Server redundancy
The Slingr platform features redundant components and a distributed grid architecture to protect client applications and services from server failures.We use multiple switches, routers, and security gateways to ensure device-level redundancy to prevent single-point failures in the internal network.
We use technologies from leading and trustworthy service providers that offer multiple DDoS mitigation capabilities to prevent disruptions caused by nefarious traffic. We keep our websites, applications, and APIs highly available and performing.
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has embedded server hardening that is provisioned to ensure consistency across servers.
Intrusion detection and prevention
Our intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, we have our proprietary WAF which operates on both whitelist and blacklist rules.At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer.This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.
Secure by design
Every change and new feature is governed by a change management policy to ensure all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection,Cross site scripting and application layer DOS attacks.
Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.The service data is stored on our servers when you use our services. Your data is owned by you, and not by Slingr. We do not share this data with any third-party without your consent.
In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols.We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access,API access,and our mobile apps. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred.Additionally for email, our services leverages opportunistic TLS by default.TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections.This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site.Additionally, on the web we flag all our authentication cookies as secure.At rest: Sensitive customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). The data that is encrypted at rest varies with the services you opt for. We own and maintain the keys using our in-house Key Management Service (KMS). We provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.Please for detailed information about encryption at Slingr and refer to the table below to understand what data we encrypt in our services.
Data retention and disposal
We hold the data in your account as long as you choose to use HQ cloud services. Once you terminate your Slingr user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. In case of your unpaid account being inactive for a continuous period of 120 days, we will terminate it after giving you prior notice and option to back-up your data.A verified and authorized vendor carries out the disposal of unusable devices. Until such time, we categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. We degauss failed hard drives and then physically destroy them using a shredder. We crypto-erase and shred failed Solid State Devices (SSDs).
Identity and Access control
Single Sign-On (SSO)
Slingr offers single sign-on (SSO) that lets associates access multiple services using the same sign-in page and authentication credentials. When you sign in to any Slingr service, it happens only through our integrated Identity and Access Management (IAM) service.SSO simplifies the login process,ensures compliance,provides effective access control and reporting, and reduces risk of password fatigue, and hence weak passwords.
It provides an extra layer of security by demanding an additional verification (jn addition to the password). This can greatly reduce the risk of unauthorized access if a user’s password is compromised. Currently we work with Time-based OTP, which can be configured multi-factor authentication using Slingr One-Auth.
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, we facilitate such access through a separate network with stricter rules and hardened devices. Additionally, we log all the operations and audit them periodically.
Logging and Monitoring
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.
Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every cloud service.
We have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. Furthermore, our security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.
Once we identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. We further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.
Malware and spam protection
We scan all user files using our automated scanning system that’s designed to stop malware from being spread through Slingr's ecosystem.
Our custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns. Furthermore, our proprietary detection engine bundled with machine learning techniques, ensures customer data is protected from malware.
Slingr (a dba of Idea2 Ltd.) supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic.We also use our proprietary detection engine for identifying abuse of HQ cloud services like phishing and spam activities. Additionally, we have a dedicated anti-spam team to monitor the signals from the software and handle abuse complaints.
We run incremental backups everyday and weekly full backups of our databases. Backup data in the DC is stored in the same location and encrypted using AES-256 bit algorithm. We store them in tar.gz format. All backed up data are retained for a period of three months. If a customer requests data recovery within the retention period, we will restore their data and provide secure access.. The timeline for data restoration depends on the size of the data and the complexity involved.
To ensure the safety of the backed-up data, we use a redundant array of independent disks (RAID) in the backup servers. All backups are scheduled and tracked regularly. In case of a failure, a re-run is initiated and is fixed immediately.
Wwe strongly recommend scheduling regular backups of your data by from the respective Slingr services and storing it locally in your infrastructure. This can be accomplished via download or API.
Disaster recovery and business continuity
Slingr stores application data on resilient storage that is replicated across data centers. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.
We have power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations such as support and infrastructure management.