NETSTOCK, the company, is the provider of both the NETSTOCK and Sage Inventory Advisor Apps. References to NETSTOCK in the section below are references to NETSTOCK the company.
NETSTOCK’s customers enjoy the following security:
1. Transit security
All data transferred from the on-premise ERP system to our Comms servers are compressed. This data is then sent via the Secure FTP protocol. This data is encrypted in-transit via session keys and symmetric encryption. The software on the ERP system is authenticated on the Comms server using the customer’s unique public key. The private key is never shared.
The same process then happens to forward the information from the Comms server to the appropriate cloud App server.
For more information about data transmission, see the ERP Connector guide.
2. Data centre security
NETSTOCK only makes use of secure, reputable hosting providers. We only make use of data centres with the following minimum security features:
Digital security camera system monitors all entries, hallways, and all areas of the lobby and colocation cabinet areas.
Entry to the colocation areas requires an access card key.
Redundant industrial HVAC units (air conditioners) environmentally control the air temperature and relative humidity in the Colocation Facilities. Cabinets are arranged in alternating hot and cold aisles, with cold air flowing from overhead ducts into the cold aisles, flowing through the cabinets, and exhausting into the warm aisles.
Power, PDUs and Conditioning
Clean, conditioned power is delivered through Power Distribution Units (at least one for each row of cabinets). Each cabinet is individually breakered, so even if one customer has a power issue, other cabinets should not be affected.
Uninterruptible Power Supplies
PDUs are connected to Uninterruptible Power Supplies, which have enough battery power to keep systems running until the generator starts delivering power. All systems undergo regular preventative maintenance.
Power Generators and Fuel
Multiple generators automatically start when outside power is lost, and begin delivering full electric power to the facility within seconds. There should be enough fuel on hand for several days of generator operation at full load, and contracts with local fuel suppliers to promptly replenish when necessary.
NETSTOCK makes use of two data centre providers:
Our customers’ data are hosted at the following data centres:
Linode – Newark, NJ
Linode – Fremont, CA
Linode – Atlanta, GA
Linode – Dallas, TX
Africa and Europe
Linode – London, UK
Hetzner – Nuremberg, DE
Hetzner – Falkenstein, DE
Australia and New Zealand
Linode – Tokyo, JP
Hetzner – Nuremberg, DE
Hetzner – Falkenstein, DE
3. Storage security
Our servers are all behind firewalls with strict rules in place.
Back-end logins into our servers can only happen with RSA keys, and not via passwords. This means that personnel of NETSTOCK’s access to our back-end servers can be revoked at any time
Our servers are protected from brute-force attacks by automatically banning anyone with 3 failed login attempts for an hour. This happens at the firewall level.
All the OS and application software are patched weekly for any security vulnerabilities.
4. Data isolation
Every customer’s data is completely isolated from every other customer’s data, by using a seperate Database to store their data in.
Similarly, every customer accesses the NETSTOCK service using a unique URL for that customer. A user’s login credentials can never work on another customer’s instance of NETSTOCK.
All data on all servers are backed up every 24 hours. Full backups are retained for 14 days. Any customer’s data can be restored, and depending on the size of the customer’s data the restore will take up to 4 hours to complete.
In case of a catastrophic server failure, new VPSes are spinned up, and customer data restored. The longest a customer will be without a working NETSTOCK system is 48 hours. Typically it’s less than 8 hours.
Backups are stored in a geographic separate data centre, so that a data centre disaster doesn’t affect both the operational servers and the backup servers.
As NETSTOCK is not a mission-critical system, we do not offer automatic fail-over to stand-by servers. This also keeps the monthly cost down for our customers.
Backups are stored and transmitted encrypted.
All access to a customer’s instance of NETSTOCK goes over the https protocol, using secure TLS versions. Our SSL certificates are signed by trusted CAs. All requests to our web app are protected against Cross-Site Request Forgery.
This means that Man-In-The-Middle attacks are exceedingly difficult to perform. No-one can read our customers’ information whilst in-transit to and from our web servers.
7. Account security
A Password strength checker is used in the App to ensure that weak passwords cannot be selected when creating and resetting passwords.
Passwords are stored hashed and salted using a cryptographically secure algorithm. This means that even if the password hashes are obtained, they cannot be used to log into NETSTOCK.
Accounts are locked out after a defined number of unsuccessful attempts to mitigate brute force attacks. The Customer’s administrator may choose to receive alerts for failed login attempts for the Customer’s user accounts, so that these events can be confirmed to determine whether the login failure was due to legitimate use or malicious attempts to login into the App.
All sessions are automatically logged out after a period of non-use, helping to guard against unauthorised usage of a logged-in system.
Access to support applications that may contain Personal Data or Account data is carefully managed. Our employees are required to manage their credentials using the enterprise password manager that we have provided for this purpose. The password manager not only securely stores credentials, but also generates secure passwords of sufficient complexity and length, and ensures that passwords are not reused across platforms.
8. Security awareness training
Our employees receive regular security awareness training ensuring that they are taught how to work safely online, how to keep their devices safe, how to recognise and avoid information security threats and how to comply with our internal security policies, designed to keep your information safe.
Our employees are also trained to identify security incidents and how to report them in an attempt to reduce the impact and severity thereof.
9. Data retention
In the case that a customer cancels their NETSTOCK subscription, we retain an archive of the customer’s data for three months. This allows for an easier re-instatement of the service, if requested. After three months the data will be deleted forever, even from our backup servers. A full dump of a customer’s data is available upon request in the three month period.
10. Risk management
We follow a risk based approach to security ensuring the ongoing identification, assessment and mitigation of risks to the organisation’s information assets, in order to reduce the probability and impact of their occurence.
11. Incident response
We have developed incident response capability, including formal policies, procedures and training for our employees to ensure that we are able to detect incidents rapidly, minimise loss and destruction, mitigate weaknesses that have been exploited, and restore services in reasonable time frames. The intention is to reduce the probability and impact of incidents that have the potential to occur or have already occurred.
12. Security monitoring and threat prevention
We have implemented security monitoring tools, some of which also have the capability to respond to and stop attacks. These tools include but are not limited to intrusion detection and prevention, behaviour analysis, malware detection, network firewalls and a web application firewall. This ensures early detection of malicious activity and contributes to our response capability.
Full logging is implemented for all systems.
13. Web development security
The security of our code is very important to us. We have subjected our code to an external code audit, as well as internal risk assessment based on OWASP and have also carried out web application vulnerability scanning using numerous tools designed to identify web application threats.
14. Data confidentiality
All NETSTOCK employees sign non disclosure clauses as part of their employment contract, ensuring that they agree to the legal obligation to retain the confidentiality of all customer data. Employees also receive training to educate them regarding data confidentiality requirements and practices.