ISO Security Measures at Shipfix
At Shipfix, we aspire to nothing less than excellence and make it our top priority day after day. We strive for exceptional performance and achieving outstanding results for you and our company. As our client, your interests always come first. We protect your privacy and security and take pride in the fact that you choose to do business with us.
Our position as a fast growing and leading technology firm puts data privacy and security at the heart of our operational model, which is aligned with the rising security challenges we are all facing.
We hold ourselves accountable to the highest security standards by maintaining a safe and secure operating environment.
We are committing all resources at our disposal to exceed the applicable legal requirements and to work toward a continuous improvement of our security and privacy management policies.
Security & Privacy by design
Shipfix was designed and built from day 1 to provide the highest level of protection for your sensitive private and commercial data. We process email content to deliver our SaaS (Service as a Software) to the Shipfix Community. Because of this, security is an absolute core focus for our engineering and product development teams (beyond simply complying with GDPR), which is also reflected in our tech architecture.
Shipfix is ISO 27001 and 27701 Certified
ISO 27001 provides standard requirements for establishing, implementing, maintaining and continually improving an information security management system. ISO 27701 is an extension of the former focused on Personally Identifiable Information (PII) and privacy..
Our ISO Certificates cover our entire business:
⭐ Development, hosting, support, improvement, provision of a SaaS platform, including extraction and aggregation of data geared towards trading, chartering and operations teams and features for specific maritime industry whilst ensuring security and personal data protection at all time, both as PII processor and PII controller.
This provide the assurance that we have in place a strict security and privacy program assessed by an independent third party to meet the most demanding international standards.
You can rest assured that:
- 🏰 Your data is in safe hands:
- We have a mature Information Security Management System which is stress-tested regularly.
- We continuously monitor the 114 control points of ISO 27001.
- Our management system covers all aspects of our business, including but not limited to: information security policies, human resources security, asset management, access control, cryptography, physical and environmental security, operation security, communication security, information transfer, supplier relationship.
- 🤐 We only use your personal data to the extent that we need to for legitimate purposes and do not retain it any longer than needed:
- We have strict privacy program assessed by certified independent auditors.
- We are clear and transparent when it comes to how we collect data, what we collect and what we do with it.
- We continuously monitor the 49 control points of ISO 27701.
- Ensure that your data will be handled to meet and exceed GDPR requirements both as data controller and processor.
Our Key Security Pillars
For us, the fundations of security rest on 4 key pillars:
- Integrity: Integrity of our client data and ours by protecting the accuracy and completeness of information.
- Traceability: Traceability, in addition to being imposed in part by regulatory obligations, is often the only method to demonstrate our mastery and ability to verify the history, location, or application of an items by means of documented information. This is our guarantee in our desire for continuous improvement.
- Availability: Your data are available in multiple data centres in Europe allowing us to migrate your environment quickly in case of an incident.
- Confidentiality: Your data are secured in dedicated clusters within our own self-contained environment. Access is restricted through security layers and backups are encrypted at rest.
So in practice, what does it mean?
- 🗝️ Access to program source code and associated items is strictly controlled in order to prevent the introduction of unauthorized functionality into software and avoid unintentional changes
- 🗄️ We maintain an centralised inventory of our assets associated with information including information processing facilities
- 🏷️ We maintain a labelling policy to ensure that all information is classified in three classes of data (Confidential, Restricted and Public). Each category is subject to the appropriate data handling rules
- 👷♂️ Our employee work in secure areas which are protected by appropriate entry controls
- 🧹 We have a clean desk policy to ensure your information remains confidential
- 💂♂️ Visitors must be escorted by a member of staff throughout their visit
- 📔 We maintain a visitor log which is available for a period of 1 year
- 🕵️♂️ Background verification checks on all candidates for employment
- 🔇 All of our employees sign a strict confidentiality agreement which remains valid after termination or change of employment
- 👨🏻🏫 All of our employees receive appropriate awareness training and regular updates in our policies and procedures
- 🛂 We have a formal access provisioning process implemented to enable a strict control of access rights to all systems and services
- 🚦 Access to systems and applications is controlled by a secure log-on procedure and we monitor the use of a password management system to ensure quality passwords
- 💔 We have a formal disciplinary process in place to take actions against employees who have committed an information security breach
- 📥 Emails & documents are stored and encrypted at rest in a dedicated bucket.
- 🏢 Each organisation that uses Shipfix are isolated
- 🔑 Encryption & decryption keys are specific to your company
- 👤 Users can only access data within their organisation, through a security layer
- 💬 Chat messages are encrypted
- 🔒 Data backups are encrypted at rest
- 🛡️ We use the strongest encryption and and hashing algorithms
- 🔐 AES 256 for data encryption
- # Argon2 for password hashing
- 🌐 We use Google Cloud KMS for managing cryptographic keys and providing a fine granularity over key accesses
- 🔒 Shipfix internal secrets and sensitive data are encrypted
- 🔄 Frequent encryption key rotations
- 🔍 Use of technologies such as GCP security console and DataDog to generate auditable logs
- ⌨️ Each part of the platform provides granular auditable logs
- 📷 Every action is tracked across the platform
- 👁️ Logs are permanently monitored to detect abnormal behaviours & suspicious connections
- 🔌 We use TLS 1.2 for public data transfer encryption
- ☁️ All of our platform layers communicate inside a virtual private cloud
- 🏴☠️ We run quarterly Pentest with a certificated third-party partner
- 🌍 Shipfix is hosted on Google Cloud in a European datacenter which complies with major security policies (more info)
- 👮. We are fully GDPR compliant both as a data controller and a data processor
- ⚖️ We ensure appropriate compliance with legislative, regulatory and contractual requirements by working with Tier 1 Legal counsel and using legal monitoring tools
- 🚒. Shipfix has a clear procedure to manage consistently and effectively information security incidents, including communication on security events and weaknesses
- 📡 Established appropriate communication channels to report security events
- 🕵🏾♀️ Guidelines to assess security incidents
- 📚 Documented procedures to respond to information security incidents
- 💀 Mandatory redaction of post-mortems to gain knowledge from analysing and resolving such incident and reduce the likelihood of future incidents