What does Fotoware do to protect user data?
Initial notes
Fotoware works with clear routines and measures regarding data security and storage. We appreciate that customers trust us with their data, and we take seriously our responsibility for safeguarding that data and being open about how we process it.
When Fotoware moved to the cloud, we decided to partner with Microsoft. They demonstrate a healthy track record in data security, and their Azure cloud platform has received great acclaim as a secure, versatile development platform. Microsoft is continually working to implement new security certifications to the point where they're now approved for hosting sensitive government data in some countries.
At Fotoware, our customers' data security is a top priority, as you would rightly expect from a SaaS vendor. We think "security first" in everything we do and work diligently to improve how we build our systems for maximum security. Essentially, five core areas have an impact on the overall security of the service we offer:
Choice of platform
Our solutions run on, and data is stored on, the Azure Cloud platform. This is a safe, scalable platform used by cloud software vendors worldwide. It affords us tools to control the location of your data, its replication to avoid data loss, and the security mechanisms needed to keep it safe. Indeed, we trust Azure to the point where all our services run on the same platform.
Developing solutions with security in mind
Everything we make is "privacy by design". We subject our code to automatic testing and user testing, and from time to time, we use external parties to scrutinize and evaluate the security of individual parts of our offering and the system as a whole. Their findings are reviewed and ultimately end up on our drawing board if improvements are needed.
Enforcing strong encryption
Encryption is a given these days, and we make sure all the data that moves between clients and servers is encrypted by security such as HTTPS and Transport Layer Security. Data is also encrypted when it's committed to storage in the Azure data center- commonly called encryption at rest.
Limiting access to trusted personnel only
We limit who can access your data. When you call Fotoware Support to get help, we will ask for your consent before doing anything that affects your data. Technical and organizational safeguards are in place to limit access. When we use third-party suppliers to provide additional services, we assess whether they can provide the appropriate level of security and privacy that we require.
Service monitoring and automatic incident reporting
Our engineers are on duty 24/7 to respond to security incidents, big or small, and we review our security continually to be prepared for anything that might come.
Get in touch!
If you have any additional questions, contact Fotoware Support.
Steps taken by Fotoware to protect your data
The points below summarize what Fotoware is doing to protect your data and answer some of the questions that often come up with regard to security and GDPR (General Data Protection Regulation).
Fotoware IT Security
Both management and employees at Fotoware are aware of the risks in this context and take responsibility for their respective roles in IT security:
- The supervisors appointed have clearly defined areas of responsibility with which all employees are familiar.
- The company takes steps to secure data and systems responsibly, irrespective of which platform, environment, or country is involved in storing, processing, or copying these data.
- Fotoware has a system and contingency plans – based on preventative control measures and warning systems combined with vigilant employees – to deal with breaches, viruses, natural disasters (such as fire and water leaks), and hacking.
Access to the Fotoware customer database is only granted to authorized users and must be documented and updated at all times. The systems are checked regularly for risks and vulnerabilities.
- Approved virus scanning software has been installed on all computers connected to the Fotoware CRM and ERP databases.
- The antivirus software is kept updated at all times
- Backups are taken daily
To log into the customer database, users need valid credentials. They must comply with the password regulations that apply to all Fotoware employees as outlined in the Data Discipline Declaration, which they signed as part of their employment contract.
Data Discipline declaration for Fotoware staff
- All employees have signed a Data Discipline declaration confirming that they understand, accept, and undertake to comply with the data discipline regulations.
- All Fotoware CRM and ERP system users must sign the data discipline declaration before they are authorized to use these systems. Fotoware's IT staff is responsible for ensuring that employees sign the declaration on being allocated their user profiles. The agreement must also be signed by temporary staff, such as summer substitutes, interns, and consultants.
- Fotoware's CEO and CISO are jointly responsible for ensuring that all internal users sign the declaration. Signed declarations are filed.
- Fotoware employees undertake to comply with Fotoware rules for IT security, as defined in the Data Discipline declaration for employees, and general rules and regulations for data security. Employees understand and accept that failure to comply with these rules and regulations may have serious consequences, possibly, depending on the gravity of the failure, resulting in the immediate termination of employment.
Data backup routines
Fotoware takes daily backups of servers and databases. The process runs automatically, and additional manual backups can be taken as and when required. Backups are taken using Microsoft Azure Recovery Service Vaults.
Disk backups are run automatically daily to allow Fotoware to restore its files, databases, and systems more rapidly if necessary.
Fotoware reviews its backup routines annually. These reviews involve quality assurance, checking which data is stored where, and confirming that backups are being made as stipulated. The Site Reliability manager is responsible for performing the routine review.
The Site Reliability manager also logs the review and ensures that the logs are available for IT staff on an intranet wiki.