Information Security Policy

BitaBIZ is committed to preserving the confidentiality, integrity, and availability of all the physical and electronic information assets throughout our organization and we continuously seek to improve the protection of our customers.

The purpose of this policy is to ensure that BitaBIZ will apply a consistent, business risk based and coast efficient approach in order to manage information security.

BitaBIZ will identify and manage risks to information, applications, and technology applying Information Security Management System (ISMS) intended to follow and conform to the best practice standards. Protecting information assets addresses all stocks of information, the network, the people that use them, the processes they follow, and the physical computer equipment used to access them.

This policy applies to BitaBIZ management, all full time or part-time employees, sub-contractors, project consultants, any other person who works under the authority of BitaBIZ and any external party.

This policy describes:

1.1 Network and Application Security

Measures implemented to prevent unauthorized access, use, alteration or disclosure of customer data.

1.2 Product Security

Measures implemented to secure data portability, privacy by design, access management and password security.

1.3 Internal Security

Measures implemented to educate our employees.

1.1 Network and Application Security

Data Hosting and Storage

BitaBIZ service and data are hosted at Microsoft Azure in the EU. We do not run our own routers, load balancers, DNS servers, or physical servers.

Security

Cloudflare

Our Azure Cloud Services and Virtual Machines is protected by Cloudflare web application fire-wall (WAF). BitaBIZ is protected against all-important safety risks. BitaBIZ WAF is certified by the PCI Security Standards Council.

All data sent to or from BitaBIZ is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS only. We automatically use the newest TLS version when supported by the clients.

BitaBIZ is HSTS (HTTP Strict Transport Security) enabled and all requests are forced to use https.

Microsoft Azure

BitaBIZ Azure databases are encrypted with Encryption-at-rest by default and the database encryption key is protected by a built-in server certificate.

Microsoft Antimalware is installed on our Azure Cloud Services and Virtual Machines. Login to our production environment is only via Microsoft Azure Just-in-Time that provide audit logs for all activity. Data retention: Point in time backups are stored for at least 1 month back, and monthly backups are stored for at least 6 months.

BitaBIZ is delivered via Microsoft .NET technology platform. Our Microsoft resources like MS SQL are always updated with the latest security updates.

Platform Monitoring, Penetration Tests and Vulnerability Scanning

BitaBIZ uses Rapit7 to continuously scan for vulnerabilities. This enables us to identify and remove vulnerabilities.

BitaBIZ uses New Relic real-time platform monitoring. This enables us to monitor performance and quickly identify errors.

1.2 Product Security

SAML 2.0

Single Sign-on (SSO) allows your company to authenticate users in your own systems without requiring them to enter login credentials to BitaBIZ.

Manual Password and Credential Storage

Password-based authentication; user passwords are encrypted using the protocol SHA1 or later version.

Authentication Controls

Measures are implemented to restrict number of login attempts.

Session timeout

Sessions timeout is implemented.

SCIM

User provisioning allows your company to control and manage user creation and access control from your own systems.

User Role Permissions (Privacy by Design)

BitaBIZ has built-in settings and permission management.

Permission roles include:

  • System admin
  • Global payroll admin
  • Local Payroll admin
  • External admin
  • HR statistics
  • Approver role
  • User role

Settings management:

  • Default settings
  • GDPR setting
  • User settings

Data Portability and Data Management

BitaBIZ has built-in tools that allow the customer to respond to employee requests to delete personal information if the information is no longer relevant.

1.3 Internal security

Training

All our employees have received security awareness training and more specialized staff have received appropriately specialized information security training.

Policies

Our setup does not allow our staff to access business resources outside our implemented Information Security Policy.

Employee Vetting

BitaBIZ performs background checks on all new employees including employment verification and criminal checks for Danish employees.

Confidentiality

All employee contracts, consulting agreements, vendor agreements, or service delivery agreements include confidentiality clauses to set forth a duty of secrecy and security of customer data and personal data even after the engagement with BitaBIZ ends.

Internal permissions and authentication

  • Access to customer data is limited to authorized employees who require it for their job.
  • BitaBIZ has a Single Sign-On (SSO) policy for all business resources. SSO is a requirement for implementing a business resource. We manage resource access from one central portal. Access to a resource is only granted if relevant for the job function.
  • We monitor and audit log login to all company resources.
  • All actions taken on production consoles are logged.
  • We have strong password policies.

Audit

BitaBIZ employees must enable and contribute to audits, including inspections carried out by our customers or another auditor that has been authorized by the customer.

Hardware

All employees have company paid PC and Mobile secured with company managed firewall and security scan.

PCs are wiped every year. Data must only be saved on company managed SharePoint/OneDrive.

As a part of the overall security management, BitaBIZ assesses the Information Security Policy annually.

BitaBIZ Information Security Policy accompanies BitaBIZ Terms & Conditions (System2 25.05.2018).