At Tradecloud, trust is our #1 value and we take the protection of our customers’ data very seriously.
The Tradecloud security team acknowledges the valuable role that independent security researchers play in internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Tradecloud is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.
Tradecloud maintains a comprehensive set of compliance certifications and attestations to validate our #1 value of trust.
Tradecloud is dedicated to helping our customers be more secure when accessing our service. With the evolving threat landscape, we strongly encourage customers take action to help prevent unauthorized access to their Tradecloud environment.
GDPR
On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) has taken effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. Tradecloud is committed to helping our customers comply with the GDPR through our robust privacy and security protections.
General
- All data is in the EU
- GDPR compliant per 25/5/2018
Datacenters
- Digital Ocean and Packet
- The AMS2 facility is ISO27001:2005 and ISO9001 certified.
- The AMS3 facility is ISO9001, ISO27001, ISO14001, ISO50001 and SSAE16 Type II certified
- https://www.digitalocean.com/help/policy
- https://www.packet.net/locations/amsterdam
Encryption
- HTTP over SSL for the portal
- Plain password over HTTP over SSL for the portal
- AES 256 for ZMQ messages for the connector
- A Key per tenant for authentication
Infrastructure
- OS: Ubuntu
- Integration: REST API
- Application: back-end: Scala, Akka – portal: Javascript, AngularJS – Connector: C#, .NET
- Database: Mongo 3 & Cassandra
- Search: Elasticsearch
- Messaging: Kafka
On a technical level access to data is protected by:
- Restricted datacenter access only by cloud provider personnel
- Restricted cloud provider access by using two factor authentication
- Private cloud using firewalls on all servers
-
Database and search servers isolated from application servers
- Restricted server access from Tradecloud offices only
- Restricted server access by SSH and public/private key authentication only
- Centralized monitoring, logging and alerting of server activities
- Automated nightly security updates
- Automated encrypted backups on two locations
- User passwords are securely hashed with a salt
- SSL connections verified A-grade by Qualys SSL Labs
- User authentication
- User authorization based on roles and his/her company
- All data, like an order, has a buyer and/or supplier identifier