We’ve gone through numerous security assessments with our customers, and we know that security matters for a high-quality B2B SaaS. This page shows a selection of questions around the security of SIGNL4. We cannot provide all (sensitive) details here but are happy to share further information on request or as part of an approval process.
Is SIGNL4 GDPR compliant?
SIGNL4 is fully GDPR complaint. Our European Data Center is in Amsterdam, Netherlands (Microsoft Azure Data Center).
SIGNL4 is hosted on Microsoft Azure. Azure data centers do have various certifications including SOC2. Read more here
Do you encrypt my data?
Full at-rest encryption
Storage of SIGNL4 data in Azure is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.
Full in-transit data encryption
Service connectivity is secured via SSL (REST) and TLS (SMTP). We also encrypt communication between our node-clusters and internal applications based on TLS 1.2.
Partial in-use data encryption
We encrypt/hash certain content like service passwords and 3rd party tool service account passwords and compare only hashed data. Certain logical operations on content like keyword matching algorithm however require decrypted processing.
What is foundation of your authentication methods?
Authentication of the mobile app is token-based and data are automatically erased from the mobile device if no valid authentication is provided. The authentication against external providers like Microsoft Azure AD is also based on tokens. Please, contact us in case you require more details.
Where are my data, where is SIGNL4 hosted?
SIGNL4 is hosted in a European (EU) data center of Microsoft Azure.
Do you perform SAST/DAST/PEN checks?
Yes, we have continuous DAST (Dynamic Application Security Testing) running, using a commercial tool. We can provide you with reports as part of a security assessment.
Do you have a firewall in place?
Yes, of course. The SIGNL4 cluster is protected by a commercial firewall.
Which TLS version do you support/enforce?
We do not enforce a TLS version but do support TLS 1.2.
Do you have a data retention policy in place? Can I delete my data?
Yes. You have full control over your data. If you choose to delete your account, we delete all your data. We fully operate under European GDPR.
As long as your account is active, we retain your data. We retain notification/message/event data up to 12 months, depending on your subscription plan.
Do you have a disaster recovery policy in place? How about backups?
Yes. First of all, SIGNL is a multi-node cluster application with inherent high availability and failover. Our DR also includes daily off-site backups, resulting in an RPO (Recovery Point Objective) of 24 hours. We are also using 3rd party services and try make sure those meet or exceed our own availability goals.
SIGNL4 is public SaaS. So, we’ve implemented logical data segregation in our code based on client and API keys. This prevents access to any data except your own, including through our API.
Do you have key and password management policy?
Yes. APIs keys and passwords (customer login) are stored in hashed format. API keys are only shown once to the user upon creation.
How do you protect access to data by your employees?
We have a wide range of policies (TOMs – technical and organizational measures) in place, ranging from physical access control, digital access rights control, multi-factor authentication and so on. Please, refer to our Data Processing Agreement for more details.
Do you support MFA?
We currently support MFA (multi-factor authentication) through Microsoft Azure AD, Google and Apple authentication if you enable MFA with these providers. For our custom login, we have plans to implement MFA.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.