Security and compliance
Security measures are continually being developed to circumvent the risk of fraud in electronic documents.
Introduction
Cention, is an expanding multinational company. We embrace the importance of data security and privacy and welcome regulations as GDPR and other local laws/directives regarding data security. In order to make our position clear to our partners/suppliers, our own staff, as well as our customers and any other parties, we here publish relevant information and documentation related to this. It is a non-negotiable requirement from our side that all our partners, suppliers and their subcontractors, without exception, follows the information given here.
Legal Requirements
Our general rule is that all our partners/suppliers must, in all their activities, follow the national laws in the countries where they are operating. Should any of the following requirements by Cention, be in violation of the national law in any country or territory, the law should always be followed. In such a case, the supplier must always inform Cention immediately upon receiving this information. It is however important to understand that Cention’s requirements may not be limited to the requirements of the national law.
Relevant Documents
Cention, is an expanding multinational company. We embrace the importance of data security and privacy and welcome regulations as GDPR and other local laws/directives regarding data security. In order to make our position clear to our partners/suppliers, our own staff, as well as our customers and any other parties, we here publish relevant information and documentation related to this. It is a non-negotiable requirement from our side that all our partners, suppliers and their subcontractors, without exception, follows the information given here.
Privacy Policy
This Privacy Policy is designed to help you to understand what personal data we collect about you and how we use and share it.
Security Policy
Describes the organizational and technical measures Cention implements platform wide designed.
Data Processor Addendum
This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Cention under the Agreement.
Amazon Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements the AWS Customer Agreement available at http://aws.amazon.com/agreement.
Privacy by design – personal data protection
We follow regulations thoroughly hence Cention will make sure to comply from a technical prospective.
Cention-cloud-security
Cention takes security and availability very serious and strive to always provide our service with high security standards.
Data Processor Addendum - Europe
The Data Processing Addendum located at https://www.cention.com/dpa is hereby incorporated by reference.
Certifications & Compliance
Cention is compliant with :
Cention works according to and is under the process to be certified for :
Product Security
SSO & 2FA
Oauth2 allows you to authenticate users in your own systems without requiring them to enter additional login credentials. If you’re using password-based authentication, we encourage you to turn on 2-factor authentication (2FA).
Permissions
We enable permission levels within the system to be set for your teammates. Permissions can be set to include administration settings, user data and/or the ability to send or edit messages.
Password and Credential Storage
Cention enforces a password complexity standard and credentials are stored using a SHA256 function.
Uptime
We have uptime of 99.9% or higher. You can our status here: https://healthd.cention.com
Customer Best Practices
There are simple steps you can take to increase the security of your app. Ask our Customer Success for tips and tricks.
Network And Application Security
Regional Data Hosting and Storage
Cention services and data are hosted in Amazon Web Services (AWS) facilities in the USA for US customers, Sweden & Ireland for EU customers and Singapore & Australia for APAC customers.
Failover and DR
Cention was built with disaster recovery in mind. All of our infrastructure and data are spread across 2 AWS availability zones and will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
Back Ups and Monitoring
On an application level, we produce audit logs for all activity, ship logs to central logging for analysis and use S3 for archival purposes. All actions taken on production consoles or in the Cention application are logged.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. Cention is served 100% over https. Cention runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Cention’s network. We have Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on GitHub, Google, AWS, and Cention to ensure access to cloud services is protected.
Encryption
All data sent to or from Cention is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs‘ tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Pentests, Vulnerability Scanning and Bug Bounty Program
Cention uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Once yearly we engage third-party security experts to perform detailed penetration tests on the Cention application and infrastructure. Cention also runs a ‘bug bounty’ program with Openbugbounty, which gives security researchers a platform for testing and submitting vulnerability reports.
Incident Response
Cention implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Additional Security Features
Training
All employees complete Security and Awareness training during onboarding and thereafter annually.
Policies
Cention has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Employee Vetting
Cention performs background checks on all new employees in accordance with local laws. The background check includes employment verification for all employees and criminal checks for key personnel.
Confidentiality
All employee contracts include a confidentiality agreement.
PCI Compliance
All payments made to Cention go through payment partners, but Cention’s platform have tools for PCI compliance.
Contact Information
email: legal@cention.com
Data Protection Officer Cention Group:
Mr Henrik Eriksson
email: legal@cention.com
