Compliance
Introduction
At Tradeshift, our customers’ data has been central to the design and operation of the Tradeshift Platform since its inception. We strongly believe that security is a top priority for the success of ourselves and our customers.
This whitepaper describes some of the practices and processes in place to ensure that our mission to provide top notch services is successfully achieved and our customers are satisfied.
Governance and Risk Assessment
Here at Tradeshift, we highly enforce code as policy as being our approach to securing our systems and environment. Even though we wish to prevent all security incidents, we are aware that there is no such thing as 100% secure. That is why we have implemented a comprehensive governance program with a strong risk assessment process at its core, in order to correctly prioritize and solve any issues that may arise.
Access Control
We are advocates of implementing security defense-in-depth and so access control is enforced at multiple layers of our infrastructure. We are very careful of who has access to what, making sure that we have adequate segregation of duties within our departments, and that access is granted on a need-to-know basis with a least privilege model.
Secure Software Development Life Cycle
Our services are centered around the Tradeshift platform. That is why we make sure that the development of our products are following best practices during their entire life cycle. Our developers are trained on secure coding and we make sure that our source code is properly reviewed and scanned for security issues both prior to as well as after it is released to production.
Data Classification and Data Security
As mentioned above, our customers’ data is our oil and we value it’s security. That is why everything we store or process is considered sensitive and we make sure that the highest level of security is enforced across our systems and infrastructure.
Physical Security
Our platform is a SaaS solution that is running entirely on our cloud providers’ physical infrastructure, which we carefully selected for it’s capability to provide us with uninterrupted uptime and strictest security within its data centers. The cloud provider is certified against globally recognised standards like ISO27001 and SOC type 1 and 2, following best practices which enforce our dedication to customers’ data security.
Configuration and Patch Management
As our platform is highly scalable and configurable, we needed to make sure that unintended configuration changes are not possible and that operational and security patches are timely and correctly applied. That is why we try to automate these processes as much as possible in order to prevent human error and enforce timely updates. We periodically scan for out of date software and libraries as well as misconfiguration within our environment.
Vulnerability Management and Incident Response
Here at Tradeshift, we keep security in mind when we perform our day to day activities, enforcing a proactive approach to prevent any incident occurrence. However, due to the rapid developments in technology we are aware that vulnerabilities remain a concern to everyone, especially when these can be exploited by ill-intentioned actors that seek profits or do harm. We are regularly performing vulnerability scanning and penetration tests to identify any holes in our products and remediate them as soon as possible. We have also defined a comprehensive incident response plan in order to identify, contain, eradicate and recover from any incidents that can affect our operations or compromise our customers’ data. We perform regular mock tests in order to assess our ability to respond to incidents and to improve our capabilities when dealing with unwanted scenarios.
Monitoring and Logging
One of the key aspects when trying to identify unintended and malicious activity is to have proper monitoring and logging set up. We are fully aware that the danger can be generated both from the outside and inside our network and environment. In order to timely identify and detect suspicious activity, we have implemented monitoring processes for our network and we are logging user activities within our systems. We periodically review our logs for any suspicious activity and triage events in order to filter false positives and escalate appropriately.
Data Backup & Restore
No company is safe from operational incidents or malicious activity such as ransomware attacks. As we mentioned, our customers’ data is our oil and we protect it against all attempts of theft or alteration. We perform full and incremental backups on a daily basis and also include restoration tests to evaluate our capabilities to restore data.
Business Continuity & Disaster Recovery
Having our operations split across the globe, it is important to have our platform operational for all our customers, with minimum to no downtime. This is why it is important that business continuity is ensured and we have processes in place to restore our normal activity in case of business disruption. We have defined a business continuity and disaster recovery plan that clearly describes the steps we need to take when facing any disruption. At least annually, we test our capabilities and time to respond to disruptive incidents, making sure we cover a diverse set of scenarios that are relevant to our business model.
Awareness and Training
Although we try to automate our security controls as much as possible, we are aware that the most important defence is represented by our people. We try to improve our security culture by performing employee security training, both during onboarding as well as on an annual basis. Our training is tailored for each of our employees, making sure that everyone is prepared to identify and respond appropriately to any event that may compromise Tradeshift information security.
Compliance Management
We are aware that words alone cannot single handedly show the high standards our platform and employees adhere to with regards to security. Our rigorous and ever-expanding compliance program includes 3rd party audits that enable us to provide our customers reports validating the security of the platform with standards such as SOC 1 Type II, SOC 2 Type II, ISAE 3402 Type II, Payment Card Industry (PCI-DSS) Level 1 and ISO 27001.