Security Policy

Success is built on trust. Trust starts with transparency.

Security Policy2018-07-02T13:52:57+00:00

At Tradecloud, trust is our #1 value and we take the protection of our customers’ data very seriously.

The Tradecloud security team acknowledges the valuable role that independent security researchers play in internet security. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site or applications. Tradecloud is committed to working with security researchers to verify and address any potential vulnerabilities that are reported to us.

Tradecloud maintains a comprehensive set of compliance certifications and attestations to validate our #1 value of trust.

Tradecloud is dedicated to helping our customers be more secure when accessing our service. With the evolving threat landscape, we strongly encourage customers take action to help prevent unauthorized access to their Tradecloud environment.

GDPR

On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) has taken effect in the European Union (EU). The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. Tradecloud is committed to helping our customers comply with the GDPR through our robust privacy and security protections.

General

  • All data is in the EU
  • GDPR compliant per 25/5/2018

Datacenters

Encryption

  • HTTP over SSL for the portal
  • Plain password over HTTP over SSL for the portal
  • AES 256 for ZMQ messages for the connector
  • A Key per tenant for authentication

Infrastructure

  • OS: Ubuntu
  • Integration: REST API
  • Application: back-end: Scala, Akka – portal: Javascript, AngularJS – Connector: C#, .NET
  • Database: Mongo 3 & Cassandra
  • Search: Elasticsearch
  • Messaging: Kafka

On a technical level access to data is protected by: 

  • Restricted datacenter access only by cloud provider personnel
  • Restricted cloud provider access by using two factor authentication
  • Private cloud using firewalls on all servers
  • Database and search servers isolated from application servers
  • Restricted server access from Tradecloud offices only
  • Restricted server access by SSH and public/private key authentication only
  • Centralized monitoring, logging and alerting of server activities
  • Automated nightly security updates
  • Automated encrypted backups on two locations
  • User passwords are securely hashed with a salt
  • SSL connections verified A-grade by Qualys SSL Labs
On a functional level access to data is protected by:
  • User authentication
  • User authorization based on roles and his/her company
  • All data, like an order, has a buyer and/or supplier identifier