Updated December 31, 2020
The protection of customer data and privacy is 4me’s number one operational priority.
4me recognizes that its information security practices are important to customers of 4me’s services. The information provided here is an introduction to 4me’s approach to security. It explains the measures that are in place to ensure the security, privacy, confidentiality, integrity and availability of customer data. In addition, general information is provided on the controls and features that 4me makes available to customers to meet their security objectives.
Questions regarding the security of 4me’s services can always be submitted to 4me’s support team by writing to [email protected].
4me classifies itself as a data processor with respect to its customers’ data and as a data controller with respect to account data.
System and Organization Controls (SOC) reports are independent third-party attestation reports that demonstrate how 4me achieves key compliance controls and objectives. The purpose of these reports is to help customers and the auditors of customers understand the controls 4me established to support operations and compliance. Customers can request 4me’s latest SOC 2 report by submitting a request for this report using the 4me services. PricewaterhouseCoopers (PwC) performed the latest audit based on the trust services criteria for security, availability and privacy.
The robust privacy protection requirements of the General Data Protection Regulation (GDPR) of the European Union (EU) and the European Economic Area (EEA) are in line with the values of 4me. Apart from making sure that the 4me organization remains in compliance, the 4me services also provides all capabilities needed by customers to make sure that they are able to comply with the GDPR requirements that may apply to their use of the 4me services. For more information on 4me’s GDPR commitment, visit GDPR Compliance.
4me relies solely on the exceptionally flexible and secure cloud infrastructure provided by AWS to store and process all customer data. AWS makes abiding by industry and government requirements simple and ensures the highest standards in data security, privacy and protection. AWS has a comprehensive suite of AWS Compliance Programs, with robust controls in place that 4me relies on. The IT infrastructure that AWS provides is designed and managed in alignment with security best practices and a variety of IT security and compliance standards, including:
- SOC 1 (Audit Controls)
- SOC 2 (Security, Availability & Confidentiality)
- SOC 3 (General Controls)
- ISO 9001 (Global Quality Standards)
- ISO 27018 (Personal Data Protection)
- HIPPA (Protected Health Information)
- FIPS (Government Security Standards)
- FedRAMP (Government Data Standards)
- FISMA (Federal Information Security Management)
Security starts with the people at 4me. 4me staff members are required to conduct themselves in a manner consistent with 4me’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
All staff members undergo appropriate backgrounds checks prior to hiring.
All staff members sign a confidentiality agreement outlining their responsibility in protecting customer data.
We continuously train staff members on best security practices, including how to identify social hacks, phishing scams, and hackers.
4me maintains your data privacy by allowing only authorized individuals access to information when it is critical to complete tasks for you. 4me staff members will not process customer data without authorization.
Internal R&D Processes
Security and privacy are fundamental to the design of the 4me services. Security-oriented environments start with high coding standards that guard against attempted security breaches and are accompanied by rigorous code reviews and automated tests with high code coverage. 4me relies only on open source software to ensure the code that the 4me services depend on is known. 4me employs the strictest development processes and coding standards to ensure that both adhere to the best security practices. In addition, 4me’s continuous validation and testing platform performs a set of various white box and black box tests for quality assurance, including regular penetration tests. 4me’s processes are implemented and supported with security as a top priority across all system layers, from the physical layers up to the application layer.
4me has no office, which rules out an entire class of security threats often associated with offices and internal networks. Key staff members are spread over 3 continents: the U.S., Europe and APAC, ensuring continuity of the business.
All customer data uploaded to the 4me services is always stored within the European Economic Area (EEA). 4me does not allow customer data to be stored anywhere else. 4me has made this choice because the EEA has the most comprehensive data protection laws.
All data centers within the EEA that run the 4me services are secured and monitored 24/7 and physical access to AWS facilities is strictly limited to select AWS staff. No staff of 4me has, nor will be permitted to have, physical access to the AWS facilities.
For more information about AWS Cloud Security, see https://aws.amazon.com/security/.
For more information about AWS Compliance Programs, see https://aws.amazon.com/compliance/.
Although 4me relies solely on AWS to deliver the 4me services, this does not mean 4me is locked into AWS. The 4me services can be transferred easily to any other cloud provider should the need ever arise. This fact is proven by customers that run the 4me software within their own premises.
The 4me infrastructure is electronically accessible to 4me staff, contractors and any other person as necessary to provide the 4me services. 4me maintains access controls and policies to manage what access is allowed to the 4me infrastructure from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. 4me maintains corrective action and incident response plans to respond to potential security threats.
4me takes all necessary precautions to ensure that every layer involved in data transfer is secured by best-of-breed technologies. Services are based on a security-oriented bare minimal, lightweight operating system, preventing the exploitation of entire classes of zero-day and other vulnerabilities. Additionally, 4me uses certain techniques that avoid erroneous instance-configuration changes, upgrades and corruption that are common sources of security breaches.
4me codes and automates its infrastructure. Any infrastructure changes are coded, reviewed, run automatically as code, validated and tested in 4me’s segregated development, staging and QA environments before being deployed to the production environments. This too avoids a whole range of erroneous and ad-hoc infrastructure changes that are common sources of security breaches and unavailability.
Firewalls are configured according to industry best practices and unnecessary ports are blocked by configuration with security groups. All 4me services run within VPCs with ACLs and additional custom measures. The network is continuously monitored and 4me has various controls in place to trigger security alerts.
Customer Data Security in Transit and At Rest
The 4me services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. All internal data in transit between services within the 4me infrastructure is protected by TLS v1.2 and the best available cipher suites and protocols.
All customer data is encrypted at rest – including databases, search indexes, files storage, memory caches, log data, backups, and all disks.
4me monitors the changing cryptographic landscape closely and works promptly to upgrade the 4me services to respond to new cryptographic weaknesses as they are discovered and implements best practices as they evolve. For encryption in transit, 4me does this while balancing the need for compatibility with older clients.
4me has established a password policy with required configurations and expiration intervals for all systems it controls. Passwords must be long and complex and are forced to be changed every 90 days.
No internal server under the control of 4me is accessible with a password. Only key based systems are allowed, which keys are regularly rotated. In addition, multi-factor authentication is required, also at the API level and when working through a command-line interface.
4me segregates all its different environments: development, staging, QA, demo and production. All these environments have no users defined, so no one can access the production environment directly. Access is granted via a role-based system in a bastion account.
Availability & Performance
We are committed to making 4me a highly-available and highly-performant service. See our history at http://status.4me.com/.
Customer data is stored logically across multiple physical locations within the EEA, protecting the services from loss of connectivity, power infrastructure and other common location-specific failures.
Production transactions are replicated among these discrete locations, to protect the availability of the 4me services in the event of a location-specific catastrophic event. All databases can be restored to a recent point in time.
Multiple daily and weekly backups are created and stored in the primary operation region within the EEA. A copy of each backup is also stored in a secondary operation region that is situated at least 500 miles from the primary operation region. The secondary operation region is also situated within the EEA to ensure that all customer data and all backups thereof are covered by strong legal privacy protection. On a 6-monthly basis, 4me performs tests to ensure that backups can be correctly restored.
4me gains deep visibility into all API calls and all infrastructure changes including when, what, who and from where calls and changes were made. 4me staff is alerted when specific events occur or thresholds are exceeded. 4me maintains an extensive, centralized encrypted logging environment in all of its environments which contains information pertaining to security, monitoring, availability, access, and other metrics about the 4me services, to help with streamlining the services, investigations and compliance reporting, and to improve the security measures and reduce the risk profile.
When a breach of security occurs, 4me promptly notifies the affected customers of any unauthorized access to their customer data. 4me has incident management policies and procedures in place to handle such events.
4me engages credentialed external auditors to verify the adequacy of its security and privacy measures.
4me engages independent entities to conduct regular application-level and infrastructure-level penetration tests. 4me’s security team reviews and prioritizes the reported findings and tracks them to resolution.
Security Features for 4me Administrators
In addition to the security measures 4me employs for its processes and systems, 4me provides customers capabilities to protect their data.
4me keeps an audit trail of all changes to customer data, that customers can view. A limited number of 4me support staff can view a limited subset of the audit trail, only to enable them to fulfil their support duties towards customers.
4me gives insights into events, particularly access events, happening within a 4me account via a system log that 4me administrators can keep track of and analyze.
Detailed authentication logs are available both to 4me users and administrators. 4me logs every access attempt, noting the IP address of the connection.
4me supports role-based access through its interface. Customer’s 4me administrators manage and control user access, including the provisioning of new users with a defined access level.
A 4me account can be provisioned and managed with users, organizations and sites via the 4me SCIM API. SCIM is used by Single Sign-On (SSO) services and identity providers to manage people across a variety of tools.
All users can enable multi-factor authentication to access 4me using hardware security keys, touch ID, and/or authentication apps. Furthermore, administrators can require all users of their organization’s 4me account to activate multi-factor authentication.
A customer’s 4me administrator can define a password policy that all of the customer’s 4me users must adhere to.
Idle Session Timeout
A customer’s 4me administrator can define the idle session timeout duration for the customer’s 4me users.
All inbound email and all attachments that are uploaded by a customer’s 4me users are checked for viruses, unwanted applications, and other malware.
Whitelist Attachment Extensions
A customer’s 4me account owner has the option to whitelist file extensions to permit files with those extensions to be attached to records in 4me. This allows a customer to make sure 4me’s attachment policy is in line with the customer’s security policies.
Access to the 4me APIs can be limited to a scope that is controlled by the customer. Customers are responsible for ensuring that each access token follows the principle of least-privilege, granting access only to the records that are necessary for its legitimate purpose.
Customers can securely integrate their 4me accounts with other applications using the OAuth 2.0 authorization framework. This framework gives customers more control over the scope of the access they give other applications to their 4me accounts.
Webhooks are used by 4me customers to keep other applications in sync with their 4me accounts. Customers can add an extra layer of security by dictating a signing algorithm that 4me has to use to sign the payload of outbound webhook requests.
Customers can define a data retention policy for the record types that may contain personally identifiable information (PII).
Persons who request to be forgotten can be anonymized in the 4me services.
Return of Customer Data
4me customers own the data they store in the 4me service. Customers are free to export this data at any given time.
Report a Security Vulnerability
4me welcomes any feedback that can help make the 4me services more secure. To report a possible security vulnerability that affects the 4me services, send an email to [email protected]
When reporting a possible security vulnerability, please include a detailed summary of the vulnerability, as this will allow 4me’s support staff to respond more rapidly and effectively. Security vulnerabilities are given priority over any other incidents that may affect the 4me services (even over incidents that affect the availability of the service) and are handled through a separate procedure. Throughout this procedure, 4me is committed to safeguarding the privacy of the person who reported the possible security vulnerability. Use the 4me Security public key to encrypt sensitive information sent via email.
After reporting a possible security vulnerability, 4me will confirm that it has been received. 4me will subsequently attempt to validate and reproduce the reported vulnerability. If additional information is required in order to validate or reproduce the issue, 4me will work with the person who reported the possible security vulnerability as needed. When the initial investigation is complete, the results will be delivered to you. If the vulnerability cannot be validated, this will be shared with this person.
On the other hand, if the vulnerability has been verified, a plan for its resolution and public disclosure will be shared instead. If the vulnerability is found to be caused by a third-party software product, 4me will notify this third party. 4me will continue to work with the third party to ensure that a fix gets implemented. The identity of the person who reported the possible security vulnerability will not be disclosed to the third party without this person’s explicit permission.
4me will coordinate public notification of the validated vulnerability with the person who reported it. 4me security bulletins are posted within the 4me service. The person who reported it, or his/her company, may want to post its advisories on its own website or in security forums. When possible, 4me would prefer that the respective public disclosures be posted simultaneously.
Notifying a vendor before publicly releasing information about a security vulnerability is a best practice known as responsible disclosure. Responsible disclosure allows companies like 4me to better protect its customers by fixing vulnerabilities before they are brought to the attention of someone who may want to exploit them. We strongly encourage anyone who is interested in researching and reporting security vulnerabilities to observe the simple courtesies of responsible disclosure. 4me follows the same practice when it discovers and reports security vulnerabilities to other organizations.
For the protection of our customers, 4me does not disclose, discuss or confirm security vulnerabilities until a full investigation has occurred and any necessary patches or releases have been implemented. Once a security vulnerability has been fixed, 4me publishes a 4me security bulletin about the vulnerability via a broadcast within the 4me service.