LAST UPDATED: OCT 28 2022
At Cinode, our Customers and Users’ trust in placing corporate and personal data with related information security is our most fundamental capital.
We are entrusted with many customers processing sensitive data and constantly monitor the evolution of best practices and refine our processes and tech stack in this area.
Our core business is to provide accurate and timely Skills Management services, with high availability and security.
On behalf of our customers, Cinode collects and processes Skills Management data at an aggregated level from the data entry of their users either through our app or our API. Cinode stores copies of the data (in AWS EU availability regions) to provide the services included in our platform.
Cinode customers always retain full ownership of the Skills Management data collected by Cinode on behalf of the customers. Collected data will be completely and permanently deleted from the Cinode systems on request, or after the termination of a subscription. The data collected by Cinode is stored only for processing purposes.
Skills management data is collected by Cinode from users either by the app user interface or our API. Optionally data is transmitted and stored by Cinode from eg email & calendar providers. All network connections used to collect, view, or transfer reporting data are encrypted using TLS. All data is encrypted at rest.
Cinode will back up all customer configuration and business data every 15 minutes. Backups are stored in AWS S3 in geographically separate locations.
6.1 PHYSICAL INFRASTRUCTURE
The physical infrastructure for Cinode is provided by AWS and all services are hosted in the EU Frankfurt Region. All services are deployed redundantly at standby in multiple physical data centers (availability zones). Configuration of all infrastructure services are fully automated and version controlled, and in case of a disaster can be rebuilt automatically in a different AWS region within 48 hours.
6.2 CHANGE MANAGEMENT
All software changes go through a change management process including peer review and automated testing.
6.3 APPLICATION MONITORING
The Cinode systems are continuously monitored for errors and unexpected events using centralized logging, alerts, and anomaly detection within Amazon AWS. External uptime monitoring is provided by Pingdom. All configuration changes and important application events are logged and archived to AWS S3 to allow for monitoring and audits.
6.4 NETWORKING SERVICES
Cinode operates in a Virtual Private Cloud and network services are protected by AWS DDoS protection, firewalls, and load balancers. Internally Cinode operates a zero-trust network with no additional privileges allowed to Cinode office networks or computers. Customer data is stored on a private AWS network and is not publicly exposed.
6.5 SECURITY MONITORING
Cinode deploys services that give a comprehensive view of the security state in the infrastructure and checks against security industry standards and best practices.
7.1 INFORMATION CLASSIFICATION
All Cinode information is classified and handled according to the Cinode classification and handling policy
7.2 HUMAN RESOURCE SECURITY
Processes for both on- and off-boarding are in place. All Cinode employees are subject to background checks and are required to sign a confidentiality agreement before starting employment.
All Cinode employees get training in information security during their employment. When employment ends, the off-boarding process is activated and all equipment and other relevant assets are returned, accounts are terminated.
7.3 PASSWORDS AND ACCESSES
Access to Cinode systems is restricted to only authorized users or processes, based on the principle of the strict need to know and least privilege.
All Cinode employees must use a separate, unique password for each of their work-related accounts. Passwords must not be shared with anyone, including managers and coworkers. All passwords are treated as sensitive, confidential Cinode information. 2-factor authentication is used whenever possible.
Cinode performs external security audits and penetrations tests annually and commits to resolving any identified issues with the highest priority.
9.1 ISO/IEC 27001 – INFORMATION SECURITY MANAGEMENT
Cinode has received MSECB Management System Certificate in accordance with the management system requirements in ISO/IEC 27001:2013.
The certification scope is: “The data processed in the Cinode SaaS service as well as related processes dealing with maintaining, developing and supporting the Cinode SaaS Service, in accordance with the Statement of Applicability (SoA), Ver. 1.1 dated 2022-04-29”
9.2 GDPR – GENERAL DATA PROTECTION REGULATION
Cinode is compliant with the requirements of the European Data Protection Regulation, GDPR.