Adeptia Connect Cloud Data Security Program

Owned by Shruti Pasayat
Last updated: Jul 19, 2023 by Ashhad Alam
8 min read

This Adeptia Data Security Program (the “Security Policy”) outlines the security measures implemented by Adeptia to secure Client Data. It describes the administrative, technical, and physical controls applicable to the Adeptia Connect Cloud (ACCloud) service. Adeptia ensures its compliance and enforcement of the security policies via various processes, procedures, training and tools.

Adeptia may update this Security Policy from time to time to document changes as they occur.

Security Overview

Adeptia has designed its Adeptia Connect platform to address security at three key levels – Cloud Infrastructure, Application, and Data. This 3-tier security model is engineered to ensure the integrity, availability, and confidentiality of our clients’ business information.

Cloud Infrastructure Security

  1. Cloud Provider - Adeptia Connect cloud infrastructure is hosted by Microsoft Azure, one of the world’s leading data center providers. Azure handles all physical and environmental security, including, but not limited to: physical access, power, climate and temperature, fire detection and suppression, and surveillance. Microsoft Azure’s Security Operations Center (SOC or SecOps) provide 24/7 global support, managing and monitoring all data center activities. Further information about security provided by Microsoft Azure is available here.

  2. Cloud Infrastructure Management - Adeptia recognizes that our clients have security compliance requirements for cloud infrastructure management that go beyond the native capabilities of Azure. To support these security requirements, Adeptia has partnered with Connectria, an Azure certified partner. Connectria provides continuous security monitoring, regulatory compliance and auditing to ensure SOC2, SSaE, PCI/DSS, PHI, HIPAA requirements are enforced and being met. Connectria provides 24/7 Security Incident Response by Connectria's Security Team to respond to information security events related to customer systems. Connectria administers customer Firewalls Rules, Virtual Networks including Virtual Private Networks (VPNs), Network Security Groups, & Network Access Control Lists (ACLs). Connectria creates and modifies custom rule sets; create and manage DMZs; monitor Firewalls & VPN environments for errors and alerts; configures and tests Virtual Network connectivity, manage VPN connectivity; and performs systems administration, problem determination, troubleshooting & resolution of errors and events for Firewall & VPN environments.

  3. Physical and Logical Separation - Adeptia has designed the Adeptia Connect Cloud architecture to be highly secure and fully resilient. Network segmentation ensures each clients’ data is securely confined within its own Kubernetes namespace and virtual network. The database to store clients’ meta-data and log-data is logically separated into client specific database instances.

  4. Adeptia Application Location - Adeptia’s cloud infrastructure in Azure is geographically disperse across multiple availability zones to ensure high availability. For US clients, Adeptia utilizes the EAST Region of Microsoft Azure and the replication is in different zones within region. For EU clients, Adeptia utilizes the EU Region of Microsoft Azure and the replication is in different zones within region. The US cloud does not replicate with EU cloud or visa versa.

  5. System Administration, Firewalls, Intrusion Prevention  – Adeptia (and its subcontractor Connectria) have implemented system administration procedures that meet or exceed industry standards, including system hardening, operating system patching and proper installation of threat detection software, malware prevention and related tools. It utilizes industry leading tools to identify and address suspicious activity for the Azure environment. All firewalls are configured with a default/deny policy by default. And all cloud servers are hardened using Center for Internet Security (CIS) recommended configurations.

  6. Infrastructure Access Management - Access to the systems and infrastructure that support the Adeptia is restricted to Adeptia Personnel who require such access as part of their job responsibilities. “Adeptia Personnel” means employees of Adeptia and Adeptia authorized subcontractor Connectria. Access to system and application logs are restricted to authorized Adeptia Personnel solely for the purpose of supporting, identifying issues, and improving Adeptia application. Access privileges of separated Adeptia Personnel are disabled promptly.

  7. Remote Access - All access to the Adeptia Virtual Networks (VNets) for managing the Adeptia cloud infrastructure requires authentication through a secure connection via approved methods such as VPNs.

  8. Security Training - Adeptia maintains a security training plan for Adeptia Personnel, that provides initial education, ongoing awareness and individual Adeptia Personnel acknowledgment of intent to comply with Adeptia’s corporate security policies. New hires complete initial training on security best practices and sign the information security policy. Adeptia Personnel are required to complete annual security training. For Adeptia Personnel that are customer facing, Adeptia performs criminal background screening as part of the hiring process.

  9. Incident Response – A “Security Breach” incident is the event of unauthorized access to, use of, disclosure, theft, or manipulation of Client Data. Adeptia will notify affected Customers of Security Breach within 48 hours from the discovery of the Security Breach. Such notification will describe the Security Breach and the status of Adeptia’s investigation. Adeptia will take appropriate actions to contain, investigate, and mitigate the Security Breach.

  10. Business Continuity and Disaster Recovery – Adeptia maintains a business continuity and disaster recovery program. Policies and procedures are in place to provide Services and Support Services with minimal interruptions, including disaster recovery planning and testing capabilities, recovery site management and standard backup and recovery procedures.

Application Security

  1. Adeptia Application Access - Adeptia Connect is a business application that is accessible to customer users through a web-browser. Adeptia ensures that only authenticated users are able to access the application and they can only view and perform within their authorized permissions. For user access, all the interaction with Adeptia is through a secure user session. The secure session information is encrypted in transit and passed to Adeptia Connect with each subsequent request. Adeptia will only allow access to users that present a valid, secure session.

  2. User Authentication - Adeptia provides flexible user management and authentication using either its own in-built application user management feature and also providing ability to use clients’ Identity Management Platform (IdP) using LDAP/SAML 2.0 Single-Sign On (SSO).

  3. Password Policies - Adeptia allows admin users the flexibility to enforce password strength policies to meet corporate requirements.

  4. Authorization – Adeptia application includes rich capabilities for Granular Access Control (GAC) to enable role-based security and to manage access to objects and data based on rules and permissions.

  5. Credentials Storage - All credentials are stored hashed and encrypted. Adeptia also provides easy management of security keys and certificates in secure vault. Similarly, account credentials used to access endpoints from Adeptia are also stored in an encrypted way to ensure security.

  6. Audit Trail – Adeptia automatically logs all actions performed by users while working in the application and this information is available as an audit trail.

  7. Security Designed into Application Development - Adeptia develops the software while following industry best practices as they relate to security reviews, developer training and code security. Adeptia takes rigorous steps in coding practices, testing and release process to meet industry leading best practices. More information about Adeptia security practices is documented here: https://adeptia.atlassian.net/wiki/spaces/AC42/pages/15141204/Application+security+overview

  8. Software Composition Analysis – Adeptia ensures that all its code and libraries, including 3rd party jars, are updated and do not have any known vulnerabilities. Adeptia uses WhiteSource application for Software Composition Analysis and it is the industry leading standard. Software Composition Analysis means vulnerability scanning of 3rd party/open source components included with Adeptia software. This identifies any components or packages in the Adeptia Connect application that are outdated or have vulnerabilities and these are updated and fixed by Adeptia in the following release.

  9. Independent 3rd Party Penetration Testing – With every release of its application, Adeptia’s Security Testing team internally does penetration testing before the software is released. Every year, Adeptia also engages with an external 3rd party to do this penetration testing. RedTeam Security performs this penetration tests on Adeptia Connect application and reports any vulnerabilities that it can find. These are fixed and then a retest by RedTeam Security is performed to verify the fixes. Then they issue a certification for the application. This information is available here: https://adeptia.atlassian.net/wiki/spaces/AC42/pages/15141202/Application+security+report

Data Security

  1. Security by Design - Adeptia has carefully architected the Adeptia Connect application to ensure maximum data security. Adeptia application protects Client Data by providing end-to-end encryption. This means that the customer business data is never in the clear when Adeptia is interacting with it. This is done by ensuring data is encrypted when it is accessed (received and sent) and it remains encrypted when it is persisted in the Adeptia Connect application.

  2. Encryption at Rest - Adeptia supports Encryption at Rest (EaR) to make sure that all data that is being processed or stored temporarily on local storage is encrypted. This provides the security that even if a bad actor is able to get access into the server, behind the application, they are never able to read the contents of the business information.

  3. Data Storage - Adeptia does not persist data. By design any temporary storage used by the application is ephemeral storage and only used while the data is processing and does not persist after the data flow has finished running successfully. This temporary data persistence is logically separated in folders that are accessible only via authorized users.

  4. Partner Data Separation - Adeptia is architected to separate tenant (sources  such as clients’ customers and partners) data with both logical and physical segregation. Logical separation is implemented to ensure that partner data is accessible via logs in the Adeptia user interface only by users in roles that have access to that partner related information. Adeptia also provides a Tenant Boundary feature that enforces a physical segregation of partner data such that all data processing for different partner tenants happens in their own separate runtime containers. This optional feature prevents co-mingling of partner data within the clients’ Adeptia application.

  5. Data Security in Flight - Adeptia Connect application ensures runtime data security while data is being processed. It supports all the security standards and protocols to enable encryption for data in transit. Application and pre-built connectors leverage the security provided by the endpoint it is connected to whether using a HTTPS-based REST or SOAP API or a secure JDBC connection to a database as part of the integration data flow. If the endpoint supports data encryption, Adeptia can be configured to send and receive encrypted data. Adeptia also provides a feature for data field-level encryption and data-masking to protect sensitive data.

  6. Client Data Access and Management – At the start of the Adeptia application service, Adeptia provided Client access to the application as a System Admin and this client person controls access to its account in the Adeptia Application via User IDs and Passwords. Adeptia Personnel only have restricted access to the application with ability to configure settings and properties and monitor application usage. Adeptia Personnel do not have access to Client Data unless Client provides access. Adeptia uses Client Data only as necessary to provide the Adeptia application and support to Client.

Client Responsibilities

  1.  Client Access - Client is responsible for managing its own user accounts and roles within the Adeptia Application and for protecting its own account and user credentials.

  2.  Best Practices - Client is responsible for using the Adeptia application in conformance with the documentation and best practices recommended by Adeptia.

  3.  Notification - Client will promptly notify Adeptia if a user credential has been compromised. Same applies if Client suspects possible suspicious activities that could negatively impact security of the Adeptia Application or Client’s account. Client may not perform any security penetration tests or security assessment activities without the express advance written consent of Adeptia.

  4.  Regulatory and SLA Compliance - Clients whose Client Data includes PCI, PHI, PII, GDPR, UK DCA or other sensitive data should notify Adeptia prior to using the Adeptia application and also implement recommendations such as Virtual Network (VNet). For performance and SLA compliance, it may be recommended by Adeptia to purchase the Adeptia product edition that includes certain features such as Tenant Boundary.