softpoint logo long white

Security

At the core of our operations lies a strong commitment to security. We prioritize assisting our customers in enhancing their security and compliance stance, which begins with our own stringent measures.

Governance

The Security and Privacy teams at SoftPoint establish robust policies and controls, diligently monitor adherence to these controls, and provide evidence of our security and compliance to auditors from third-party entities.

Our policies are rooted in the following fundamental principles:

01.

SoftPoint adheres to a strict access control policy that ensures access is granted solely to individuals with a valid business requirement, following the principle of least privilege.

03.

We maintain a consistent application of security controls across all areas of the enterprise, ensuring a uniform and comprehensive approach to security.

02.

We follow a comprehensive security approach based on the principle of defense-in-depth, which entails the implementation and layering of multiple security controls.

04.

The implementation of controls at SoftPoint is an iterative process, continuously evolving to enhance effectiveness, increase auditability, and minimize friction across all dimensions.

Security and Compliance

SoftPoint is in the process of obtaining SOC-2 Type II
SOC-2 Monitored by Vanta

SoftPoint maintains compliance with

Data protection

Securing Data at Rest

At SoftPoint, all datastores containing customer data, including Azure Storage, are encrypted at rest to ensure heightened security. In addition, sensitive collections and tables employ row-level encryption.

This robust encryption approach ensures that data is encrypted prior to database storage, rendering both physical and logical access insufficient for accessing the most sensitive information.

Protecting Data in Transit

SoftPoint utilizes TLS 1.2 or higher for all data transmissions across potentially insecure networks to ensure robust security. We further employ features like HSTS (HTTP Strict Transport Security) to enhance the protection of our data during transit. The management of server TLS keys and certificates is entrusted to Azure, and they are deployed through Application Load Balancers.

Secret Management

SoftPoint leverages the robust security features of Microsoft Azure to ensure the protection of your sensitive data. Our encryption key management follows best practices, securely stored within Azure’s Key Vault, ensuring a separation of roles and restricted access. Meanwhile, Azure seamlessly handles internal secret keys, guaranteeing the encryption, storage, and protection of data, passwords, and databases. Access to these encrypted values is strictly controlled and limited to authorized individuals.

Product Security

Penetration Testing

At SoftPoint, we are dedicated to upholding the highest standards of security. As part of our commitment, we conduct thorough annual penetration testing. This proactive approach allows us to meticulously evaluate our systems for vulnerabilities, ensuring that any potential weaknesses are promptly identified and addressed. 

These assessments cover all aspects of the Flowis product and cloud infrastructure, with testers having full access to the source code. This comprehensive approach maximizes effectiveness and coverage.

We will provide summarized penetration test reports through our Trust Report, offering transparency and insights into our security practices, upon it’s acquisition.

Vulnerability Scanning

SoftPoint mandates vulnerability scanning at critical stages of our Secure Development Lifecycle (SDLC):
Static analysis (SAST) testing of code during pull requests and on an ongoing basis.
Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.

Malicious dependency scanning to prevent the introduction of malware into our software supply chain.

Dynamic analysis (DAST) of running applications.

Network vulnerability scanning on a
period basis.

External attack surface management (EASM) continuously running to discover new external-facing assets.

Enterprise security

Endpoint Protection

SoftPoint ensures that all corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. We maintain 24/7/365 monitoring of endpoint security alerts. Our use of MDM software enforces secure configurations on endpoints, including disk encryption, screen lock configuration, and software updates.

Secure Remote Access

SoftPoint ensures secure remote access to internal resources by utilizing a VPN tunnel. All internal resources are minimized to development purposed only and SoftPoint runs production environment and customer data on secured Microsoft Azure cloud.

Security Education

SoftPoint prioritizes comprehensive security training for all employees during onboarding and annually through educational modules available on the SoftPoint platform. New employees are required to attend a live onboarding session focusing on key security principles, while new engineers receive a mandatory session on secure coding principles and practices. Our security team shares regular threat briefings to keep employees informed about important security updates and actions that require attention.

Identity and Access Management

SoftPoint relies on Office365 for secure identity and access management. We enforce the use of phishing-resistant authentication factors, primarily utilizing 2FA. Application access is granted based on employee roles and automatically revoked upon termination. Additional access requires approval according to specific application policies.

Vendor Security

SoftPoint employs a risk-based approach to vendor security. Factors such as access to customer and corporate data, integration with production environments, and potential impact on the SoftPoint brand influence the inherent risk rating of a vendor. Once the inherent risk rating is determined, we evaluate the vendor’s security to establish a residual risk rating and make an informed approval decision.

Data Privacy

At SoftPoint, data privacy takes precedence as a top priority.
We are dedicated to being trustworthy stewards of all sensitive data, ensuring its protection and privacy.

Privacy Shield

SoftPoint values privacy by design.

Regulatory Compliance

SoftPoint constantly evaluates regulatory and emerging frameworks to evolve our program.

Terms and Conditions

View SoftPoint’s Terms and Conditions 

Need to Report
a Security Concern?

Please contact us at SoftPoint’s Contact Page.