Security and Risk Management
Document Scope and Use
The information and data in this document (including any related communications) are not intended to create a binding or contractual obligation between Axero and any parties, or to amend, alter or revise any existing agreements between the parties.
This Axero Security and Risk Management document explains that we believe in being open and clear about how we handle security and risk management. In the spirit of transparency, this document provides detailed information about Axero’s infrastructure and the measures we take to safeguard our customers’ data.
- Cloud Infrastructure – Amazon AWS hosting environment facility is SSAE 16 (SOC 1, SOC 2 Type II) and ISO 27001 compliant. SOC reports can be delivered upon request.
- Access Security – DUO Security for MFA authentication for all internal access to the environment. Access to production is limited to select Axero team members.
- Data Encryption – All data is encrypted at rest using AES-256 and AES-256 FIPS 140-2 Level 3.
- Encrypted Connections – All connections are secured via SSL/TLS 1.2.
- Vulnerability and Penetration Scans – Ongoing third-party network vulnerability scans and penetration tests (PenTestTools.com, Qualys), intrusion detection monitoring (Amazon GuardDuty), network monitoring (Amazon CloudWatch), and compliance auditing (AWS CloudTrail). Test results can be delivered upon request.
- Backups – Complete data backups with off-site storage to AWS S3 using AWS Snapshot. Cloud servers: AMI Backup, daily point-in-time snapshots, 3-month retention. Cloud database servers: daily full backups, 6-hour incremental backups, 6-hour transaction log backups, 3-month retention. Data recovery drill is planned and executed once a year by the managed services team.
- Disaster Recovery – Disaster recovery services so your critical data stays safe, even when disaster strikes. Detailed information of the Axero Disaster Recovery Program can be delivered upon request.
- HIPAA – Hosting environment complies to HIPAA standards. In the event customer needs HIPAA compliance, Axero will execute a Business Associates Agreement (BAA) to become joint custodians of personal health information (PHI).
- GDPR Compliance – EU customers can opt to host their Communifire intranet in our AWS EU servers for GDPR compliance with Data Processing Addendum with that incorporates model clauses to our license agreement.
- Fault Tolerance – Amazon AWS Network Load Balancer is in place for all production servers to handle peak load situations. Every customer site is monitored separately for software failover on a per-incident situation. Hardware and/or network failover is covered by Axero Disaster Recovery Program.
1) Our Company and Product
Axero Holdings LLC and its subsidiaries, (collectively, “Axero” or “we” or “us” or “our”) is a leading provider of Intranet Software and Collaboration Solutions. Since 2008, Axero has been on a mission to enable companies to connect their employees and improve collaboration, knowledge sharing, and communication throughout their organization.
Axero’s product, Communifire, is offered as a Software-as-a-Service (SaaS) product or a Self-Hosted product. These solutions are available to customers through purpose-built web applications, application programming interfaces, installable desktop software, and mobile web and native app software.
2) Axero Security and Risk Governance
Axero’s primary security focus is to safeguard our customers’ data. This is the reason that Axero has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of the Security and Risk Team. The Security and Risk Team is responsible for the Axero’s comprehensive security and risk management program and the governance process. The security team is focused on defining new and refining existing controls, implementing and managing the Axero security and risk framework as well as providing a support structure to facilitate effective risk management. Our President and CIO, manages the Security and Risk Team.
3) Our Security and Risk Objectives
We have developed our security framework using best practices in the SaaS and Software industry. Our key security and risk objectives include:
- Customer Trust and Protection – To consistently deliver superior products and services to our customers while protecting the privacy and confidentiality of their information.
- Availability and Continuity of Service – To ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity.
- Information and Service Integrity – To ensure that the customer information is never damaged, corrupted or changed in any inappropriate way.
- Compliance with Standards – To implement process and controls to align with current international regulatory and industry best practice guidance.
4) Axero Security Controls
In order to support our business and ensure that we are enforcing reasonable practices to protect our corporate and customer data, the following series of security controls have been put in place. The controls are designed to allow for a high level of employee efficiency without artificial roadblocks while minimizing risk for our customers. A subset of these controls is described below.
4.1 Customer Data Management on the Communifire Service
Communifire is a comprehensive set of collaboration, communication and content management platforms. The information collected in our products consists of customer data and information. Per the Axero Terms and Conditions and/or Software License Agreement, it is the responsibility of our customers to ensure that only appropriate non-sensitive information is being captured. We recommend that our customers refrain from collecting or capturing sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information.
4.1.1 Data Transmission and Encryption
Customer interactions with the Axero product suite are encrypted in transit with Secure Sockets Layer (SSL) technology using industry-standard encryption techniques with a 2,048 bit key. At rest, customer login information, such as passwords, is never stored on the server but validated using industry-standard password hashing mechanisms with a unique encryption salt.
4.1.2 Credit Card Information Protection
Many Axero customers pay for the service by credit card. Axero does not store, process or collect credit card information submitted to us by customers. We leverage trusted and PCI-compliant payment vendors to ensure that customers’ credit card information is processed securely.
4.1.3 Data Protection
Within these data centers, customer data is stored in single-tenant storage systems accessible to our customers via only the Axero applications or APIs. No customer has direct access to the underlying application infrastructure. Axero leverages both structured (RDBMS) and unstructured (file-system) secure data repositories. Security is enforced through network and application access controls as well as permissions systems within each server and database.
4.1.4 Data Backup Policies
Axero ensures data is replicated and backed up in multiple durable data-stores. The retention period depends on the nature of the data. Data is also replicated across data-center availability zones in order to provide fault-tolerance within an availability zone as well as scalability and responsive recovery, when necessary. In addition, the following policies have been implemented and enforced for data resilience:
- Customer (production) data is backed up leveraging multiple online replicas of data for immediate data protection. All production databases have no less than 1 primary (master) and 1 replica (slave) copy of the data live at any given point in time. Seven days worth of backups are kept on any database in the same facility for local restoration. Snapshots are taken and stored to a secondary service no less often than daily and where practicable, real-time replication is used. All production data sets are stored on a distributed file storage facility like Amazon’s S3, Rackspace’s Cloud Files, or Rackspace Managed Servers.
- Because we leverage private services for hosting, backup and recovery, Axero does not implement physical infrastructure or physical storage media within its products. Axero does also not generally produce or use other kinds of hard copy media (e.g., paper, tape, etc.) as part of making our products available to our customers.
- By default, all backups will be protected through access control restrictions on Axero product infrastructure networks, access control lists on the file systems storing the backup files and/or through database security protections.
4.1.5 Data Retention
Customer data will not be purged for active customers and until impractical, their data will remain in Axero’s system indefinitely. Former customers’ data is removed from live databases upon a customer’s written request or after an established period following the termination of the customer agreement. In general, former customers’ data is purged 90 days after all customer relationships are terminated. Information stored in replicas, snapshots, and backups is not actively purged but instead naturally ages itself from the repositories as the data lifecycle occurs. Axero reserves the right to alter the data pruning period and process at its discretion in order to address technical, compliance, or statutory needs.
4.2 Infrastructure Controls
Axero outsources hosting of its product infrastructure to leading US-based and EU-based data-centers, currently Rackspace, Amazon Web Services, and Vellance/Sentia, who provide high levels of physical and network security and maintain various levels of audited security, including SOC-2 compliance, and hardened infrastructure. Axero does not host any production software systems.
These word-class data-centers leverage the most advanced facilities infrastructure such as power, networking, and security. Facilities uptime is guaranteed to us from our providers to be between 99.95% and 100.00% and both providers ensure a minimum of N+1 redundancy to all power, network, and HVAC services. Access to these data-centers is highly restricted to both physical access as well as electronic access through public (Internet) and private (Intranet) networks in order to eliminate any unwanted interruptions in our service to our customers.
We leverage a multi-tier architecture with routers, firewalls, load-balancers, IDS, web-servers, application servers, database servers, and job servers in a standard configuration for a modern, cloud and dedicated server based, highly distributed system.
4.2.1 Hardened Perimeter & Infrastructure
Axero employs various levels of network-level security and policies to prevent any unauthorized or unintended access to the internal product infrastructure. These security controls include enterprise-grade routers, firewalls, and Intrusion Detection Systems as well as comprehensive logging of all application access paths through web and application server logs.
Alerts for potential threats are escalated to identified administrators within Axero’s Technical Operations team. Servers within the product infrastructure are monitored for traffic spikes, port scanning, and other anomalous activities. Automated triggers facilitate triage of events and the determination of any actions based on the situation. Traffic blocking rules exist and can be activated with the assistance of our data center providers for traffic identified to be potentially malicious in nature.
4.2.2 Vulnerability Scanning & Penetration Testing
Axero performs a variety of vulnerability scanning and penetration testing activities against itself on a continuous basis. We perform vulnerability scanning continuously against our applications and static code analysis against source code repositories that are part of our applications. In addition, infrastructure vulnerability scanning is performed on a regular recurring basis.
Axero’s Terms of Service prohibits activities like spidering and vulnerability scanning, and those restrictions exist only to help ensure that customers have a positive experience. Customers who would like to test the Axero products for vulnerabilities should contact Axero for authorization.
4.2.3 Customer Authentication & Authorization
The Axero products enforce a uniform password policy. The password policy requires a minimum of 6 characters made up of lower case letters and upper case letters, special characters, or numbers. Customer instances of the platform also have administrative controls to allow the customer to enforce a custom password policy of their own based on regular expressions.
Customer portal accounts may be assigned finely grained permissions to the portal’s content and features. For more information about user roles, please see this Axero support article.
Application programming interface (API) access is enabled through API key authentication and authorization. Customers have the ability to generate API keys for their portals. The keys are intended to be used to prototype custom integrations. For more information about API use, please see the Developers portal.
4.3 Employee Access Management
Axero controls individual access to data within its production and corporate environment. A subset of Axero’s employees is granted access to production data based on their role in the company through role-based access controls (RBAC) or on an as-needed basis referred to as JITA (just in time access).
Engineers and members of the Operations team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyze information for product investment decisions as well as product support. Access to the product infrastructure is limited by network access and user authentication and authorization controls. Access to networking infrastructure is strictly limited to members of the Technical Operations team and our data- center support team.
Customer Support, Services, and other customer engagement staff may request just in time access to customer portals on a 24-hour, time-limited basis. Such access is used to enable our support teams to assist with customer questions and requests. Services team members have JITA access to customer portals in order to assist in setup, consulting engagements, and similar activities. All access requests, logins, queries, page views and similar information is logged.
Employee access is subject to a periodic review to ensure authorized systems are within limits of employees’ current roles.
4.3.1 Employee Authentication
Axero enforces an industry-standard corporate password policy. That policy requires changing passwords at least every 90 days. It also requires a minimum password length of 8 characters and complexity requirements including special characters, upper and lower case characters, and numbers. Axero prohibits account and password sharing by multiple employees. System-level credentials are limited to systems that do not support integrated security through LDAP or other Axero supported security protocols.
Employees generally authenticate to Axero product infrastructure using SSH or similar keys. Where passwords are allowed, the password policy requires 12 character passwords. Additionally, many of the capabilities we use to build the Axero products leverage multi-factor authentication or are protected by single-sign-on solutions that allow for multi-factor authentication.
4.3.2 Employee Security Policies and Awareness
All Axero employees undergo an extensive 3rd party background check prior to formal employment offers. In particular, employment, education, and criminal checks are performed for all potential employees. Reference verification is performed at the hiring manager’s discretion. All employees receive security training
within the first month of employment as part of the Axero Security and Risk program along with role-specific follow-up training. All employees must comply with Non- Disclosure Agreements as part of access to corporate and production networks.
4.4 Business Continuity
Axero maintains a business continuity plan focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on recovery strategies in the event of a business continuity issue.
Business continuity testing is part of Axero normal processing. Axero recovery processes are validated continuously through normal maintenance and support processes. We follow rapid deploy principles, so we create / destroy many server instances as part of our regular maintenance and growth. We use those exact same procedures in a recovery scenario, allowing us to practice our recovery process.
Axero primarily relies on infrastructure redundancy, real-time replication, and backups. Disaster recovery testing is part of Axero normal processing. Data is replicated and backed up in multiple durable data-stores across data-center providers to add an additional level of both geographically dispersed off-site as well as off-vendor protection.
Axero leverages world-class data center providers in order to provide a highly resilient and secure infrastructure. Our outsourced data center facilities have numerous environmental hazard safeguards in place, and their continuity and recovery plans have been independently validated as part of the providers’ SOC 2 Type II and ISO 27001 certifications. The infrastructure redundancy controls are outlined in the infrastructure section above. This infrastructure, coupled with the policies and procedures of our data-center providers, provides a high level of continuity protection. Our data backup practices, outlined above, allow us to recover all critical information in a timely fashion.
4.5 Incident Management
Axero’s services are critical to our customers’ operations. As such, we treat our web-hosting and data-capture platforms to be mission-critical. We strive to always meet and exceed the stated service level objectives, and provide coverage 24x7x365 in order to provide the highest level of service to our customer and provide transparency to any customer-impacting situations.
Axero’s rapid incident response program is responsive and repeatable. Pre-defined incident types, based on historical trending, are created in order to facilitate timely incident tracking, consistent task assignment, escalation, and communication. Many automated processes feed into the incident response process, including malicious activity or anomaly alerts, vendor alerts, customer requests, privacy events, and others.
In responding to any incident, we first determine the exposure of the information and determine the
source of the security problem, if possible. We communicate to affected customers through email or phone. To meet our transparency objectives, we provide updates upon any major system impact via our public site – https://my.axerosolutions.com – until the issue is resolved.
The CIO reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.
5) Product Security
Axero’s Security and Risk Management Practices are designed to protect all of the Axero products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configurations.
Whether our products are free or paid, feature-rich or lightweight, Axero works continuously to maintain the privacy of data you entrust with us. The data you store in Axero products is yours. We put our security program in place to protect it, and use it only to provide the Communifire service to you. We never share your data across customers and never sell it.
5.1 Communifire Software
About: The Communifire Software is our leading platform consisting of intranet software with communication, collaboration, and content management features.
Hosting: Primary infrastructure is hosted in Rackspace Managed Servers. Axero’s hosting strategy enables additional redundancy capabilities, architecture flexibility, and infrastructure responsiveness. Our deployment processes leverage network security, server security, and availability features, described above.
Single Tenant Architecture: Each customer gets their own independent database and instance of the Communifire software — each customer’s data is completely separate from one another.
Secure Connections & Encryption: Communifire SaaS installations are secured with SSL certificates automatically. Communifire Self-hosted installations can be secured with SSL/ TLS, if needed, and is the responsibility of the customer. Passwords are not stored but accessed via industry-standard practices of hashing and salting. Query string parameters are encrypted when necessary.
User Security: Communifire uses a fine-grained, role-based permission matrix to manage access to different parts of the system. Permissions are mapped to roles, and each user can have multiple roles.
5.2 Communifire Mobile Apps
About: The Communifire Mobile Apps consist of iPhone/iPad and Android mobile apps.
Usage model: Communifire Mobile Apps can be downloaded free of charge from the iTunes App Store and Google Play. These apps live on your mobile phone and connect to your Communifire Software instance using secure REST API calls.
Data storage: Communifire Mobile Apps store a very limited dataset on the mobile device for remembering login credentials. No other Communifire data is stored on your mobile device.
Updating: The Communifire Mobile Apps are designed to help increase your productivity and to give you access to your Communifire data anywhere, anytime. One step we’ve taken to improve your experience is automatically updating the app. This automatic update takes place as long as you have your mobile device set up to auto-update. This is automatically done through your specific app store settings. Instead of being interrupted by recurring notifications to update the Communifire Mobile App software, the apps handle their updating process without getting in your way.
5.3 Communifire FileSync for Windows
About: The Communifire FileSync for Windows is a desktop extension of the File and Document Management System built into the framework of Communifire Software. It allows customers to automatically mirror and sync designated folders and files on their desktop or laptop computer to folders in the Communifire Software. The app runs in the background and automatically keeps your files in sync and backed up online.
Usage model: Communifire FileSync for Windows can be downloaded free of charge from the Axero Solutions website. This application lives on your desktop or laptop computer and connects to your Communifire Software instance using secure REST API calls.
Data storage: Communifire FileSync for Windows stores a very limited dataset on the device for remembering login credentials.
Updating: Communifire FileSync for Windows is designed to help increase your productivity, backup your files online, and to give you access to your Communifire files on your desktop or laptop. Updates are announced on the Axero Solutions website and the My.Axero support website. Updates are available for download and include an automated installation wizard.
5.4 Communifire Chat for Mac & Windows
About: The Communifire Chat Application is a desktop extension of the Chat & Messaging feature provided in the Communifire Software. It allows customers to use the chat feature in a desktop application.
Usage model: Communifire Chat Application can be downloaded free of charge from the Axero Solutions website. This application lives on your desktop or laptop computer and connects to your Communifire Software instance using secure REST API calls.
Data storage: Communifire Chat Application stores a very limited dataset on the device for remembering login credentials. No other Communifire data is stored on your mobile device.
Updating: The Communifire Chat Application is designed to help increase your productivity and to give you access to your Communifire Chat data on your desktop or laptop. Updates are announced on the Axero Solutions website and the My.Axero support website. Updates are available for download and include an automated installation wizard.
6) Third Party Audits and Certifications of Axero Security Controls
Our services are housed in the US and EU with world-class data center providers Rackspace, Amazon Web Services, and Vellance/Sentia. All are SOC 2 and ISO 27001 certified and maintain facilities secured against electronic and physical intrusion.
7) Updating this document
If there are any material changes to this document, you will be notified by the posting of a prominent notice on our websites. We encourage you to periodically review this page for the latest information.