Security @ Zenoti
Last updated Date: 15-Aug-2021, Version: Q3-2021
Zenoti is committed to protecting its information and that of its customers. This is vital to the success of our Business. Customers across the globe trust us with their data security. This page provides information on our security measures.
Our Information Security Strategy involves the following components:
- Information Security Governance
- Human Resources Security
- Cloud Security
- IT Security
- Incident Management
- Vulnerability Management
- Product Security
- Physical Security
- Business Continuity & Disaster recovery
Information Security Governance
- Well established Information Security Program.
- Well established Security Policies and Procedures.
- Well defined Security Roles and Responsibilities.
- Active Participation from Zenoti’s Leadership team.
- Dedicated team of security and privacy professionals.
- Security audits performed to monitor compliance with Security requirements.
- Security Newsletters shared on a periodic basis.
Human Resources Security
- Background Verification (BGV) is performed.
- Upon joining Zenoti, employees are required to sign the Non-Disclosure Agreement and other documents which include mandatory security clauses.
- All employees are mandatorily trained on Security and Privacy requirements.
- Zenoti Platform hosted in AWS and designed as a multi-tenant architecture.
- Data at rest is encrypted.
- Data in transit is encrypted.
- DDOS Protection is enabled.
- API Throttling is enabled.
- All systems in cloud are protected by Antivirus.
- Threat detection is enabled.
- All our instances run on AWS VPC (Virtual Private Cloud).
- Single Sign On (SSO) is implemented.
- Servers are Hardened based on CIS benchmark standards.
- Industry Standard tools leveraged for periodic security assessments.
- Data Masking feature is implemented on sensitive data.
- Systems run from multiple AWS Availability Zones.
- Support for On-demand scale of stateless server farms.
- Zenoti sites are hosted to handle both hardware and availability zone failures.
Backup and Recovery
- Snapshots are taken for all the Critical Servers at regular intervals.
- Database: Zenoti employs different techniques like always-on configuration, full backups, incremental backups, image snapshots to recover from any failure.
- Database backups are encrypted using native encryption.
- All backups are stored in encrypted storage.
- Periodic restoration checks are performed.
Logging & Monitoring
- Industry standard tools leveraged for logging, monitoring, analysis, and incident management.
- Site is continuously monitored for uptime.
- Different types of Logs like Event Logs, Application Logs, Infrastructure Logs, Audit Logs are enabled.
- Site Reliability Engineering team monitors the operations 24/7/365.
- By default, administrative access is not provided, and guest accounts are disabled.
- By default, all the endpoints have USB blocked.
- All endpoints have anti-virus installed and configured for the latest patches.
- All endpoints are encrypted.
- Endpoint Detection and Response (EDR) is enabled.
- Network Intrusion Prevention System (NIPS) is Implemented.
- URL Filtering feature is enabled.
- Data Loss Prevention (DLP) is configured to monitor sharing of critical information.
- E-mail communications are scanned at the gateway to prevent infection from malicious software and programs.
- VPN (Remote Access Service) with MFA enabled for access from remote.
Backup & Recovery
- Internal IT servers are backed up on a regularly basis.
- Periodic Restoration checks are performed.
- Redundant Internet Services Providers (ISP).
- Auto failover and fallback both are enabled on ISPs.
- High Availability(HA) Firewall system is established.
- In addition to the Primary DC (Domain Controller) Additional DC are maintained in Cloud and the other region.
Logging & Monitoring
- Central Log server established for Server Logs, Network and Security device Logs, AV Logs, Admin User Logs.
- The Logs are monitored continuously for appropriate actions.
- All Internet connections are monitored for availability.
- Security Incident Management System is established.
- Security Incidents are logged and tracked to closure.
- Incidents related to security can be reported by Zenoti employees, customers, vendors by writing e-mails to a dedicated ID firstname.lastname@example.org.
- Vulnerability Management Program in place
- Vulnerability Assessments are conducted periodically on the infrastructure and findings, if any, are tracked to closure.
- Penetration Testing is conducted on a periodic basis and findings, if any, are tracked to closure.
- Static code testing: Various static code checks like Code Style, Security ( includes OWASP Top 10), Error Prone, Performance, Compatibility, and Unused Code are performed before code check-ins.
- Application Security Testing is performed. The guidelines followed included OWASP Top 10, CWE/SANS Top 25, PCI DSS Penetration Testing Guidelines, and other industry best practices as applicable.
- Source control system is in place for the code repository.
- Developer code is reviewed before being committed.
- All changes are tested thoroughly by the Quality Assurance team.
- Static code testing is performed.
- Application security testing is performed.
- The Zenoti Platform provides Roles and Permissions that allows users to be configured to access the platform based on their roles only.
- Extensive Product Logging is available for the Zenoti Product to meet compliance requirements.
- Physical access to Zenoti premises and server rooms is controlled at the entry and exit doors by proximity-based access control system.
- Zenoti premises and server rooms are continuously monitored through CCTV Cameras.
- Devices are installed and preventive measures are in place for protection against environmental hazards including but not limited to fire, power outages, fluctuations.
Business Continuity & Disaster recovery
- BCP ( Business Continuity Planning ) Scenarios are identified as part of Business Impact Analysis.
- BCP scenarios are tested on a periodic basis as part of disaster recovery readiness.