Security and compliance

Security measures are continually being developed to circumvent the risk of fraud in electronic documents.

Introduction

Cention, is an expanding multinational company. We embrace the importance of data security and privacy and welcome regulations as GDPR and other local laws/directives regarding data security. In order to make our position clear to our partners/suppliers, our own staff, as well as our customers and any other parties, we here publish relevant information and documentation related to this. It is a non-negotiable requirement from our side that all our partners, suppliers and their subcontractors, without exception, follows the information given here.

Legal Requirements

Our general rule is that all our partners/suppliers must, in all their activities, follow the national laws in the countries where they are operating. Should any of the following requirements by Cention, be in violation of the national law in any country or territory, the law should always be followed. In such a case, the supplier must always inform Cention immediately upon receiving this information. It is however important to understand that Cention’s requirements may not be limited to the requirements of the national law.

Relevant Documents

Cention, is an expanding multinational company. We embrace the importance of data security and privacy and welcome regulations as GDPR and other local laws/directives regarding data security. In order to make our position clear to our partners/suppliers, our own staff, as well as our customers and any other parties, we here publish relevant information and documentation related to this. It is a non-negotiable requirement from our side that all our partners, suppliers and their subcontractors, without exception, follows the information given here.

Privacy Policy

This Privacy Policy is designed to help you to understand what personal data we collect about you and how we use and share it.

Security Policy

Describes the organizational and technical measures Cention implements platform wide designed.

Data Processor Addendum

This DPA forms part of the Agreement and sets out the terms that apply when Personal Data is processed by Cention under the Agreement.

Amazon Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the AWS Customer Agreement available at http://aws.amazon.com/agreement.

Privacy by design – personal data protection

We follow regulations thoroughly hence Cention will make sure to comply from a technical prospective.

Cention-cloud-security

Cention takes security and availability very serious and strive to always provide our service with high security standards.

Data Processor Addendum - Europe

The Data Processing Addendum located at https://www.cention.com/dpa is hereby incorporated by reference.

Certifications & Compliance

Cention is compliant with :

Cention works according to and is under the process to be certified for :

Product Security

SSO & 2FA

Oauth2 allows you to authenticate users in your own systems without requiring them to enter additional login credentials.  If you’re using password-based authentication, we encourage you to turn on 2-factor authentication (2FA). 

Permissions

We enable permission levels within the system to be set for your teammates. Permissions can be set to include administration settings, user data and/or the ability to send or edit messages.

Password and Credential Storage

Cention enforces a password complexity standard and credentials are stored using a SHA256 function.

Uptime

We have uptime of 99.9% or higher. You can our status here: https://healthd.cention.com

Customer Best Practices

There are simple steps you can take to increase the security of your app. Ask our Customer Success for tips and tricks.

Network And Application Security

Regional Data Hosting and Storage

Cention services and data are hosted in Amazon Web Services (AWS) facilities in the USA for US customers, Sweden & Ireland for EU customers and Singapore & Australia for APAC customers.

Failover and DR

Cention was built with disaster recovery in mind. All of our infrastructure and data are spread across 2 AWS availability zones and will continue to work should any one of those data centers fail.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Back Ups and Monitoring

On an application level, we produce audit logs for all activity, ship logs to central logging for analysis and use S3 for archival purposes. All actions taken on production consoles or in the Cention application are logged.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job. Cention is served 100% over https. Cention runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on Cention’s network. We have Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on GitHub, Google, AWS, and Cention to ensure access to cloud services is protected.

Encryption

All data sent to or from Cention is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs tests. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Pentests, Vulnerability Scanning and Bug Bounty Program

Cention uses third party security tools to continuously scan for vulnerabilities. Our dedicated security team responds to issues raised. Once yearly we engage third-party security experts to perform detailed penetration tests on the Cention application and infrastructure. Cention also runs a ‘bug bounty’ program with Openbugbounty, which gives security researchers a platform for testing and submitting vulnerability reports.

Incident Response

Cention implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security Features

Training

All employees complete Security and Awareness training during onboarding and thereafter annually.

Policies

Cention has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Vetting

Cention performs background checks on all new employees in accordance with local laws. The background check includes employment verification for all employees and criminal checks for key personnel.

Confidentiality

All employee contracts include a confidentiality agreement.

PCI Compliance

All payments made to Cention go through payment partners, but Cention’s platform have tools for PCI compliance.

Contact Information

If you want to get in contact with Cention regarding GDPR:
email: legal@cention.com

Data Protection Officer Cention Group:
Mr Henrik Eriksson
email: legal@cention.com