Sign up
Thinkowl

Supplier Questionaire

You can order the following questionaire as PDF by sending us an email to Customer Care.

System and data related questions

What is the technical architecture type of the system?

Macro-service architecture as a distributed SOA

Please describe which architecture tier model is used and which interfaces exist.

Each service has a 3-tier model architecture with REST interfaces

Are sub-suppliers used for operations of the service?

We are using the services of Hosting & Service Provider Hetzner Online GmbH and PlusServer AG (Colocation).

Please specify the ownership situation of the system?

Owned by ThinkOwl Europe GmbH, Mülheim-Kärlich (Germany) respectively ThinkOwl Inc., Orlando (FL, USA)

General questions

Which kind of personal identifiable information will be stored (e.g. names, e-mail addresses, birthdates, credit card numbers)?

In the standard product, user first name and last name, email address and customer first name and last name are mandatory fields. Additional communication address details, such as secondary e-mail addresses and street addresses are optional. Account holder information also includes credit card information, which, if it belongs to a person instead of to an organization, is also deemed to be personal identifiable information. Additionally, an administrator may create custom data fields to store any desired type of information. This decision, however, is entirely made by the ThinkOwl account customer, not by ThinkOwl itself.

Access control

Which authentication methods are supported?

ThinkOwl default authentication, SSO

Which 2-factor authentication methods are supported?

Google Authenticator and FreeOTP

Can strong passwords be enforced according to the requirements below?

Requirements:
1. Password shall contain characters of 4 classes: Roman upper case (A…Z), Roman lower case (a…z), Arabic numerals (0…9), special characters (!"$%&/()=?*…)
2. Password shall have a minimum length of 15 characters
3. New password shall never be the same as any of the last five passwords
4. Password shall not be a "dictionary" word (e.g. it should not be a word commonly used in dictionary attacks)


ThinkOwl offers:
1. 4 classes: YES
2. Minimum length: YES
3. Previous password check: YES
4. Dictionary words: NO, but a combination of password rules will greatly mitigate attacks.
How long are session tickets or the like valid?

Access token lifespan: 1 minute

What controls against brute force attacks are implemented?

Password Policy for users as well as Cloudflare WAF inclusive DDoS Protection.

Is administration performed via remote access?

Only Admin team members may access the systems. Access only possible from within the company network (site-to-site VPN). Admin team members can access company network remotely by dial-in VPN plus password.

User and role management

Audit and monitoring

Physical Security and Hosting

What assurance can you give that access to your data is exclusively restricted to your personnel and services?

Encrypted data storage (ElasticSearch / S3). Keys are not known to any non ThinkOwl or service personnel.

What assurance can you provide regarding the physical security of the location? Do you hold an ISO 27001Certificate?

The ISO Certification is currently in progress. However, ThinkOwl fully relies on Tier III+ data centers that fulfill SSAE-16, SOC, PCI DSS, HIPAA or ISO 27001 requirements.

Where are your services located geographically?

Currently ThinkOwl is hosted in Data Centers located in Germany (for EU Customers) and the United States (for others).

Operations Security

Please detail your malware protection measures.

Patch Management, anti-malware clients, WAF, Firewall

Is there a staged environment to reduce risk, e.g. separate development, test and operational environments?

The development and testing environment are physically separated from the operational environment to reduce the risks of unauthorized access or changes to the operational environment as well as ensuring a segregation of duties for transporting code between the different quality gates.

Application Security

Describe your internal software development process. What practices are followed to keep the applications safe (e.g. Software Development Life Cycle)? Please provide proof.

Automated static code analysis with SonarQube and automated behavior tests are integrated in development lifecycle.

How do you validate that new releases are fit-for-purpose and do not pose risks (backdoors, Trojans, etc.)? Are these reviewed before use?

Static Code-Analysis for Java and JavaScript againgst OWASP Top 10 is conducted via SonarQube.

Please detail how and how often you carry out vulnerability testing.

Static Code-Analysis for Java and JavaScript againgst OWASP Top 10 is conducted via SonarQube. Regular external and internal penetration tests.

Please detail your process for rectifying vulnerabilities (hotfixes, re-configuration, uplift to later versions of software, etc.).

Vulnerabilities get classified and are rectified according the respective classification and adhering to the standard development process.

Please detail the threat and vulnerability assessment conducted for your applications and systems.

OWASP10 vulnerabilities are covered by SonarQube and behavior tests performing checks for privilege escalation.

Network Security

Encryption

Please detail which encryption methodologies are in place for data at rest, e.g. databases, file systems, backups.

S3 - Data AES256 encrypted - transport SSL - (Mails, Tif, Attachements).
ES unencrypted - Connection is done by certificate - Transport secured by SSL - (Customer cases).
DB unencrypted - Configurations (desks, Mail Servers, how many folders).
All passwords and keys are stored encrypted in DB or config files.

Please detail how credentials are stored within your applications and systems, incl. backup.

Credentials provided by a user are stored encrypted in DB. System credentials are stored encrypted in config files.

Backup, Archiving and Deletion

How is access to backup data restricted?

Only ThinkOwl Admin personnel can access backup storage systems.

Please detail your policies and procedures for backup.

1. incremental backup of ES (using ES internal toolkit)
2. VM backup (using Proxmox)
3. databases (using mysqldump)

How often do you backup your systems and customer data?

1. ES: incremental backup every 12hrs
2. VMs: once per week
3. DBs: as needed (e.g. before update)

For how long are the backups retained?

1. ES: 60 days
2. VMs: one month
3. DBs: as space allows

Where are backups stored? Does the storage facility meet best practices?

Mix between Hetzner storage boxes and our own colocation servers.

Which options are available regarding automated or on-request deletion of data?

On-request physical and logical delete of case and customer data.

Human Resource Security

Please describe the security awareness and education program you run for all staff.

1. Monthly Security Newsletter.
2. Onboarding Security Training.
3. Annual Security Training.