Your data is our responsibility

Our Security & Trust center provides you with the latest information regarding technical security and data privacy.

The security of our digital workplace

Zero Trust Architecture

Secure access management is a key cornerstone in any tech-enabled business. Using a SASE-architecture, we validate and authenticate at every key decision point in a context-based fashion (considering the user’s device, its state, location etc).

Awareness and education

People can be the weakest link, but they can also turn into a strong point. This is how we look at it within Alasco. Our teams undergo a dedicated security onboarding, where we create awareness around key threat scenarios that are important for our company.

Secure communication and collaboration

To secure data during day to day work, we rely on a strong foundation. Alasco uses Google Workspace (Enterprise), end-to-end encrypted communication channels and more dedicated solutions, in order to ensure data is safe at any point in time.

The security of our infrastructure and applications

Cloud Security Posture Management

In order to enhance the security posture of our AWS environment further, our teams have deployed dedicated security tooling that runs continuous security checks. Namely Cloud Security Posture Management (CSPM) and Cloud Infrastructure & Entitlement Management (CIEM) solutions.

System and Runtime security

In addition to leveraging serverless concepts such as AWS Fargate as much as possible, we deploy safeguards in every runtime that we are managing. This includes Endpoint Detection & Response (EDR) and Vulnerability Management (VM) solutions to monitor for indicators of compromise in our environment.

Attack surface management

Taking the attacker's viewpoint is an important (and high-leverage) strategic weapon against attacks. At Alasco, we aim to tightly control our external attack surface to minimize entry points that attackers can exploit.

Edge security

Alasco’s infrastructure perimeter is protected through Cloudflare’s edge network and connected Web Application and API Protection (WAAP) capabilities. This added layer of security protects against 0day exploits, volumetric attacks and more.

Let’s increase the value of your assets
The ROI of tomorrow is green. Increase the value of your assets with Alasco.

The security of customer data

EU data hosting

Alasco’s EU-based data hosting is among the key infrastructure design decisions that was made early on. AWS is an explicit part of our security model, providing Alasco with state-of-the-art technology, safeguards and compliance to industry standards.

Multi-tenancy

Alasco leverages stringent data segregation principles. This means that our customer’s data is logically separated on the storage level with tight access control rules, such that access is only granted to authorized people even inside of Alasco.

Data encryption

Encryption is an important piece of Alasco’s data security strategy. At any point when data is processed between our systems, we rely on Transport Layer Security (TLS) for transit encryption. This prevents eavesdropping. For data stored „at rest“, we leverage native AWS features to encrypt our data stores by default (S3, RDS, EBS).

Cross-cutting security initiatives

Bug bounty

Alasco is investing in a close relationship with the cyber security community, and we greatly value their help identifying vulnerabilities in our products. Our Vulnerability Reward Program was developed to honor all the external contributions that help us keep our services safe.

Read more about our Bug Bounty Program

Incident and breach

Our process for managing incidents specifies actions, escalations, mitigation, resolution, and notifications of any potential incidents impacting the security of our platform or data.

Continuous threat modeling

Our Security Team takes this risk-centric viewing angle by regularly conducting threat modeling workshops, to determine where we may have gaps or room for improvement.

FAQ

Product security

How does Alasco ensure login security?

Our platform’s authentication is based on Auth0 technology (an Okta company). We support the integration of external identity providers if you would like to connect Alasco to your company-internal workplace IDP.

Does Alasco support MFA?

Yes.

Can user activity or audit trails be provided?

Yes, we can provide this upon request.

FAQ

Data security

Where does Alasco process or store customer data?

Our application is hosted on AWS in EU regions, subject and compliant to EU-GDPR regulations.

Does Alasco encrypt my data in transit and in rest?

As for data in transit, it is industry standard to rely on TLS with strong ciphers for encryption. So do we at Alasco for incoming HTTP traffic and connections between internal services.

For persistent storage, our application is hosted on AWS and we rely on several AWS-native storage mechanisms (RDS, S3, SNS, SQS). Whenever possible, we activate and utilise AWS-native encryption mechanisms. RDS as an example is encrypting data with cryptographic keys that are stored in AWS KMS. AES-256 is used to encrypt RDS storage, backups, read replicas, snapshots and so on.

Who has access to the data Alasco is managing?

Our general design principles are based on zero-trust and need-to-know principles. As such, only dedicated client account managers require such access. In addition, our technology department, who runs the platform, has access to the underlying infrastructure and databases.

FAQ

Governance, Risk, Compliance

Does Alasco have an information security program?

Yes. Our Security Team takes care of the company’s security program, annual targets, design principles, architecture decisions and so on. You find a lot of related information in our Security & Trust Center on our website under https://www.alasco.de/security/

‍
Keeping our customer’s data safe is of utmost priority to us and we continue to invest in best-in-class tooling to deliver on this promise.

Is Alasco security program aligned with industry standards?

Yes. Specifically, we adhere as much as we can to the following standards:
SOC2 Type II
ISO 27001
CIS AWS 1.4.0
NIST 800-171 Rev2
AWS Well Architected
Attestation and benchmarks for select scopes can be provided upon request.

Does Alasco have any 3rd party security certifications?

We select our service providers with security and compliance in mind. As such, key parties in our provider ecosystem are 100% compliant with industry security standards such as SOC2 Type II or ISO 27001. Alasco regularly evaluates suppliers in a prioritized fashion according to these requirements.

Alasco itself has not undergone an audit with certified attestation just yet. Our security framework goes much beyond what industry standards are demanding, however based on our customer’s feedback, investing in the time consuming process of annual audits and maintaining compliance has not proven to be practically necessary until today.

Does Alasco regularly undergo penetration testing by a 3rd party company?

Yes. We conduct different forms of testing in cycles.

Most importantly, we run a state-of-the-art, 24/7 vulnerability reward program to detect potential issues as early as possible. Further, we conduct penetration tests and inside-out security audits multiple times per year.