Cinode Information Security Overview

Information Security Overview

LAST UPDATED: MAY 3 2021

1. INTRODUCTION

At Cinode, our Customers and Users’ trust in placing corporate and personal data with related information security is our most fundamental capital.

We are entrusted with many customers processing sensitive data and constantly monitor the evolution of best practices and refine our processes and tech stack in this area.

Our core business is to provide accurate and timely Skills Management services, with high availability and security.

2. SCOPE OF CINODE SERVICES

On behalf of our customers, Cinode collects and processes Skills Management data at an aggregated level from the data entry of their users either through our app or our API. Cinode stores copies of the data (in Amazon AWS EU availability regions) to provide the services included in our platform.

3. DATA OWNERSHIP

Cinode customers always retain full ownership of the Skills Management data collected by Cinode on behalf of the customers. Collected data will be completely and permanently deleted from the Cinode systems on request, or after the termination of a subscription. The data collected by Cinode is stored only for processing purposes.

4. DATA COLLECTION, TRANSFER, AND ENCRYPTION

Skills management data is collected by Cinode from users either by the app user interface or our API. Optionally data is transmitted and stored by Cinode from eg email & calendar providers. All network connections used to collect, view, or transfer reporting data are encrypted using TLS. All data is encrypted at rest.

5. BACKUP AND ARCHIVING

Cinode will back up all customer configuration and business data every 15 minutes. Backups are stored in AWS S3 in geographically separate locations.

6 INFRASTRUCTURE AND SOFTWARE

6.1 PHYSICAL INFRASTRUCTURE
The physical infrastructure for Cinode is provided by Amazon AWS and all services are hosted in the EU Frankfurt Region. All services are deployed redundantly at standby in multiple physical data centers (availability zones). Configuration of all infrastructure services are fully automated and version controlled, and in case of a disaster can be rebuilt automatically in a different AWS region within 48 hours.

6.2 Change MANAGEMENT
All software changes go through a change management process including peer review and automated testing.

6.3 Application MONITORING
The Cinode systems are continuously monitored for errors and unexpected events using centralized logging, alerts, and anomaly detection within Amazon AWS. External uptime monitoring is provided by Pingdom. All configuration changes and important application events are logged and archived to AWS S3 to allow for monitoring and audits.

6.4 NETWORKING SERVICES
Cinode operates in a Virtual Private Cloud and network services are protected by AWS DDoS protection, firewalls, and load balancers. Internally Cinode operates a zero-trust network with no additional privileges allowed to Cinode office networks or computers.

7. INFORMATION HANDLING

7.1 INFORMATION CLASSIFICATION
All Cinode information is classified and handled according to the Cinode classification and handling policy

7.2 HUMAN RESOURCE SECURITY
Processes for both on- and off-boarding are in place. All Cinode employees are subject to background checks and are required to sign a confidentiality agreement before starting employment.

All Cinode employees get training in information security during their employment. When employment ends, the off-boarding process is activated and all equipment and other relevant assets are returned, accounts are terminated.

7.3 PASSWORDS AND ACCESSES
Access to Cinode systems is restricted to only authorized users or processes, based on the principle of the strict need to know and least privilege.

All Cinode employees must use a separate, unique password for each of their work-related accounts. Passwords must not be shared with anyone, including managers and coworkers. All passwords are treated as sensitive, confidential Cinode information. 2-factor authentication is used whenever possible.

8. SECURITY AUDITS

Cinode performs external security audits annually and commits to resolving any identified issues with the highest priority.

9. COMPLIANCE AND CERTIFICATIONS

9.1 ISO/IEC 27001 – INFORMATION SECURITY MANAGEMENT
Cinode has implemented vital parts of the ISO27001 Information Security Standard and is opting at certification under relevant standards adopted by SaaS providers of our category.

9.2 GDPR – GENERAL DATA PROTECTION REGULATION
Cinode is compliant with the requirements of the European Data Protection Regulation, GDPR.