Data Security and Compliance at Facilio

The Facilio Promise on Data Security

Security of Facilio customers' data is our primary concern. By sticking to our promise, we take protective measures that prevent unauthorized access to our databases, computers, and servers.

All information you store in Facilio remains yours, and we are committed to ensuring that your data is not accessed, shared to, or viewed by anyone without permission to do so.

What is Data Security and why is it important?

Data security, in essence, means protecting your digital data, such as data stored in databases/data centers from accidental/intentional destruction or modification. It also includes unwanted data access by unauthorized users and even breach of data. In today's modern world where commercial buildings and large enterprises are managed via internet and cloud-based services, it's essential to understand where and how data is stored, how data moves across the network and is used to provide better operational experience.

How do we ensure your data remains safe?

Facilio as an organization is committed to data security of all its customers by taking protective digital privacy measures that prevent unauthorized access to our databases, computers, and servers .The discretion to provide or not provide private information solely rests on our end users and Facilio does not use any of the entered information anywhere else.

We do not collect any sensitive information such as credit card and other payment details anywhere on our website. None of the data that we collect from you is stored locally or modified in any way.

All Facilio services are hosted in Amazon Web Services Cloud facilities and infrastructure and no Facilio employee is authorised any physical access to the AWS Cloud. To know more about AWS security features, please check here.

Cloud Security is the highest priority for Amazon AWS services and Facilio leverages the same standards by placing all our production databases and servers in AWS thereby meeting core security and compliance requirements which include data locality, protection, and confidentiality. These stringent measures provide significant protection of data from traditional security issues such as DoS attacks and Data sniffing . On top of these measures, we have in place a web application security filter that prevents Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection and HTML Injection.

Our Compliances and Security Control Procedures

Logical Access Control and Host Security

Fundamentally, we have mandated two Factor Authentication and Secure keys for all Facilio employees to even login to the AWS console, thereby preventing any kind of unauthorized logical access or security breach of the Facilio services hosted in AWS.

We have configured All Services hosted on AWS to be accessible only from Static Office IP addresses , which prevents anyone outside Facilio premises attempting to logically hack our databases or Production servers.

Restriction over Administrative Operations

Within Facilio, we provide administrative privileges only to select employees for AWS configurations, databases, servers, and services that are hosted on AWS. Additionally, role based AWS access configuration ensures that any employee can gain operational access only to the extent of their authorization.

All administrative operations performed on the hosted services are documented, reviewed, and tested on stage before applying on production. All administrative actions performed are also logged automatically.

Encryption keys shared secrets and master encryption keys shall be accessible only to authorized system administrators.

Application Security ,Backup and Monitoring

• Facilio applications are run on HTTPs and we use industry standard encryption for data traversing from and to our application servers.

• Regular VAPT tests are conducted on AWS services and required steps are taken to mitigate the vulnerabilities and are updated with the latest service packs and the required security patches.

• Regular VAPT tests are conducted on the Facilio Application and the vulnerabilities are prioritized and prompt action is taken.

• All sensitive fields in the testing and development databases are masked to prevent data leak and other sensitive information are stored in the database in encrypted format.

• We host Facilio file store, Queue data and Production SQL databases in AWS, which comply with security standards elaborated in the earlier sections with need based Secured Key management .

• All requests patterns to the production servers and databases are logged, which helps in easy in quick detection of anomalies or attacks if any.

• All Data in production databases are backed up every 24hours and a 7 day backup is maintained.

• All operations on the AWS infra are monitored and tracked using AWS guard too.

• All operations on the application is montitored for any malicious activity or security incident via an internal logging tool hosted in AWS.

• All passwords of operating systems, applications, databases, network and security devices etc. are stored in hashed format (i.e. one-way encryption)

• Proprietary or nonstandard encryption algorithms are reviewed and approved by the Facilio IT security.

• Key management processes shall be established, and control procedures shall be implemented for:

  1. Distributing, storing, archiving, changing, and updating keys.

  2. Recovering, revoking, destroying, and dealing with compromised keys.

  3. Logging all transactions associated with keys.

Disclosure

We are continuously working towards making our systems foolproof and achieving SOC2 security compliant standards. Facilio will be obliged to inform its customers when there is a data breach or a security attack that causes a outage of the application. If you wish to report a security concern, please email to security@facilio.com. Facilio will address the security questions and issues with an expected response time of 2 working days.