Thinkowl

SUPPLIER QUESTIONAIRE

You can order the following questionaire as PDF by sending us an email to Customer Care.

SYSTEM AND DATA RELATED QUESTIONS

What is the technical architecture type of the system?

Macro-service architecture as a distributed SOA

Please describe which architecture tier model is used and which interfaces exist.

Each service has a 3-tier model architecture with REST interfaces

Are sub-suppliers used for operations of the service?

We are using the services of Hosting & Service Provider Hetzner Online GmbH and PlusServer AG (Colocation).

Please specify the ownership situation of the system?

Owned by ThinkOwl Europe GmbH, Mülheim-Kärlich (Germany) respectively ThinkOwl Inc., Orlando (FL, USA)

Please specify the locations from which your company operates?

Germany

In which countries are the customer’s data stored or processed, taking into account all stages of the data lifecycle?

For EU cloud: Germany, Ireland
For US cloud: USA

GENERAL QUESTIONS

What kind of service shall be delivered (e.g. IaaS, SaaS, PaaS, …)?

SAAS

Which kind of personal identifiable information will be stored (e.g. names, e-mail addresses, birthdates, credit card numbers)?

In the standard product, user first name and last name, email address and customer first name and last name are mandatory fields. Additional communication address details, such as secondary e-mail addresses and street addresses are optional. Account holder information also includes credit card information, which, if it belongs to a person instead of to an organization, is also deemed to be personal identifiable information. Additionally, an administrator may create custom data fields to store any desired type of information. This decision, however, is entirely made by the ThinkOwl account customer, not by ThinkOwl itself.

ACCESS CONTROL

Which authentication methods are supported?

ThinkOwl default authentication, SSO

Which 2-factor authentication methods are supported?

Google Authenticator and FreeOTP

Can strong passwords be enforced according to the requirements below?

Requirements:
1. Password shall contain characters of 4 classes: Roman upper case (A…Z), Roman lower case (a…z), Arabic numerals (0…9), special characters (!"$%&/()=?*…)
2. Password shall have a minimum length of 15 characters
3. New password shall never be the same as any of the last five passwords
4. Password shall not be a "dictionary" word (e.g. it should not be a word commonly used in dictionary attacks)


ThinkOwl offers:
1. 4 classes: YES
2. Minimum length: YES
3. Previous password check: YES
4. Dictionary words: NO, but a combination of password rules will greatly mitigate attacks.
If passwords are used: Are users able to select their own passwords?

Yes.

If initial passwords are provided: Are the initial passwords individual?

Can be set by account administrator.

If initial passwords are provided: Is a password change enforced at first sign-in after issuance?

Yes, this can be configured as such.

Is a central Identity Management System (IDMS) in place?

Yes.

Which single sign-on systems do you support?

SAML v2.0, Google

Which federated mechanisms for authentication do you support?

LDAP

Which third party identity providers are your systems interoperable with?

Google

How long are session tickets or the like valid?

Access token lifespan: 1 minute

What controls against brute force attacks are implemented?

Password Policy for users as well as Cloudflare WAF inclusive DDoS Protection.

Is administration performed via remote access?

Only Admin team members may access the systems. Access only possible from within the company network (site-to-site VPN). Admin team members can access company network remotely by dial-in VPN plus password.

In which countries are the administrators located?

Germany, India

Is the physical environment for the administration facilities subject to the same requirements as the datacenter?

No. The administration facilities inherit no critical infrastructure.

Are the same access control measures applicable for all states of the data life cycle (e.g. staging, backup, recovery)?

Yes

USER AND ROLE MANAGEMENT

Do you support Role Based Access Control (RBAC)?

Yes

Are any high-privilege roles allocated to standard user accounts?

Account admin has full responsibility.

Which account creation and approval workflows do you support?

Account admin has full responsibility.

Can account ownership be assigned to a representative of the customer?

Account admin has full responsibility.

Is user self registration allowed?

No

Do you support regular role reviews by the customer?

No

What processes are in place for the revocation of credentials?

User deactivation, user deletion, password change

What maximum delay for credentials provisioning and de-provisioning across geographically distributed locations can you guarantee?

Administrator can sign out an agent, the access token will expire after 1 minute, login a new login can be deactivated for a user.

Do you monitor and log privileged access?

No

Is there a segregation of duties implemented for privileged roles (e.g. service desk, system administration, database administration, backup, information security management)?

Yes, and custom roles can be defined in ThinkOwl plan „Diamond“.

AUDIT AND MONITORING

Which audits will the customer be allowed to perform?

There is no audit right for a customer. Compliance is ensured through internal audits as well as the currently in process ISO 27001 certification.

Do you provide proof that all agreed controls are in place and working?

This is proven by providing the Statement of Applicability as well as the ISO Certificate.

Do you provide real-time online access to log information of all security relevant events to the customer?

No

Do you provide to the customer information about the patterns which will be detected and recognized as an incident?

No

Can the customer define custom patterns to be detected and recognized as an incident? Which industry standards for these patterns are you supporting (e.g. STIX, TAXII, CybOX, YARA)?

No

Will you inform the customer about security incidents in a timely manner even if the customer is not directly effected?

Yes. In the event of a failure, we will be notifying any customers impacted by the situation and will take appropriate action to protect the operations of our customers.

PHYSICAL SECURITY AND HOSTING

How do you separate the data of your customers (e.g. dedicated hardware, virtual environment database and storage)?

By logical separation / mandatory operation.

What assurance can you give that access to your data is exclusively restricted to your personnel and services?

Encrypted data storage (ElasticSearch / S3). Keys are not known to any non ThinkOwl or service personnel.

Can data hosting and processing be done on service instances dedicated to the customer?

No

What assurance can you provide regarding the physical security of the location? Do you hold an ISO 27001Certificate?

The ISO Certification is currently in progress. However, ThinkOwl fully relies on Tier III+ data centers that fulfill SSAE-16, SOC, PCI DSS, HIPAA or ISO 27001 requirements.

Where are your services located geographically?

Currently ThinkOwl is hosted in Data Centers located in Germany (for EU Customers) and the United States (for others).

OPERATIONS SECURITY

Which standard certifications covering operations security do you hold (e.g. ISO 27001, Common Criteria, SSAE16)?

ISO 27001 currently in progress. CC, SSAE16 not planned yet.

Please detail your malware protection measures.

Patch Management, anti-malware clients, WAF, Firewall

How do you ensure systems are hardened by default and protected from unauthorized access?

Limiting allowed OS Versions and standard images

Is there a staged environment to reduce risk, e.g. separate development, test and operational environments?

The development and testing environment are physically separated from the operational environment to reduce the risks of unauthorized access or changes to the operational environment as well as ensuring a segregation of duties for transporting code between the different quality gates.

APPLICATION SECURITY

Describe your internal software development process. What practices are followed to keep the applications safe (e.g. Software Development Life Cycle)? Please provide proof.

Automated static code analysis with SonarQube and automated behavior tests are integrated in development lifecycle.

How do you validate that new releases are fit-for-purpose and do not pose risks (backdoors, Trojans, etc.)? Are these reviewed before use?

Static Code-Analysis for Java and JavaScript againgst OWASP Top 10 is conducted via SonarQube.

Describe the controls used to protect the integrity of the operating system and application software used. Include any standards that are followed, e.g. OWASP, SANS Checklist, SAFECode, etc.

Static Code-Analysis for Java and JavaScript againgst OWASP Top 10 is conducted via SonarQube.

Please detail how and how often you carry out vulnerability testing.

Static Code-Analysis for Java and JavaScript againgst OWASP Top 10 is conducted via SonarQube. Regular external and internal penetration tests.

Please detail your process for rectifying vulnerabilities (hotfixes, re-configuration, uplift to later versions of software, etc.).

Vulnerabilities get classified and are rectified according the respective classification and adhering to the standard development process.

Please detail the threat and vulnerability assessment conducted for your applications and systems.

OWASP10 vulnerabilities are covered by SonarQube and behavior tests performing checks for privilege escalation.

Do you use an automated or manual source code analysis to detect security defects in code prior to production?

SonarQube and JBehave as quality gates.

Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices regularly?

Regular external and internal penetration tests.

Network Security

Please detail the network security controls available for the connection between your network and the customer's network.

Customers can only access ThinkOwl via https to the web frontend.

Please detail which encryption methodologies are in place for data in motion both within and outside of your network.

Customer unique document encryption in the S3 storage, facilitating the 256-bit Advanced Encryption Standard (AES-256). Transport is securred by SSL.

Will credentials be encrypted while transmitted?

HTTPS / SSH

Please describe the network security controls in place protecting your network against the internet, e.g. firewalls, proxies, reverse proxies, VPN.

Web-Application Firewalls, firewalls, proxies, reverse proxies, VPN.

Are you able to restrict access to the customer services based on the source device (e.g. IP address whitelisting, certificate)?

As ThinkOwl is a Cloud solution, this is not part of the architecture.

Please describe the controls in place to mitigate DDoS attacks.

DDoS protection by Cloudflare.

Encryption

Please detail which encryption methodologies are in place for data at rest, e.g. databases, file systems, backups.

S3 - Data AES256 encrypted - transport SSL - (Mails, Tif, Attachements).
ES unencrypted - Connection is done by certificate - Transport secured by SSL - (Customer cases).
DB unencrypted - Configurations (desks, Mail Servers, how many folders).
All passwords and keys are stored encrypted in DB or config files.

Please detail how credentials are stored within your applications and systems, incl. backup.

Credentials provided by a user are stored encrypted in DB. System credentials are stored encrypted in config files.

Which security controls are in place for reading and writing cryptographic keys (e.g. strong password policies, keys stored in a separate system, hardware security modules (HSM) for root certificate keys, smart card based authentication etc.)?

Company password policy.

Backup, Archiving and Deletion

How is access to backup data restricted?

Only ThinkOwl Admin personnel can access backup storage systems.

Please detail your policies and procedures for backup.

1. incremental backup of ES (using ES internal toolkit)
2. VM backup (using Proxmox)
3. databases (using mysqldump)

How often do you backup your systems and customer data?

1. ES: incremental backup every 12hrs
2. VMs: once per week
3. DBs: as needed (e.g. before update)

Do you test the backup and restore procedures?

No

For how long are the backups retained?

1. ES: 60 days
2. VMs: one month
3. DBs: as space allows

Where are backups stored? Does the storage facility meet best practices?

Mix between Hetzner storage boxes and our own colocation servers.

Do you support secure deletion (e.g. degaussing, cryptographic wiping, physical destruction) of archived and backed-up data?

No

Do you provide documented procedures and APIs for exporting all data from your service? Are the export formats interoperable?

Yes, JSON format.

Can the customer test data extraction and verify the data?

Yes.

Which options are available regarding automated or on-request deletion of data?

On-request physical and logical delete of case and customer data.

Human Resource Security

Please describe the security awareness and education program you run for all staff.

1. Monthly Security Newsletter.
2. Onboarding Security Training.
3. Annual Security Training.

Contact us

ask@thinkowl.com

Features

Power of AI

Resources

© ThinkOwl