Security

Product reliability and IT security build our customers loyalty

The trust our customers place in us is based on the security we provide in terms of continuity and good performance of our services as well as on the confidentiality and protection of documents and data involved. The reliability of our products and the safety of the operations carried out through them are fundamental factors that Penneo absolutely prioritizes.

At Penneo, we strive to provide a constant high-level service, meeting our customers' expectations day by day. IT security is of strategic importance for us and it is an essential part of our company culture. What is even more important than discovering vulnerabilities is being able to estimate the potential risks at an early stage of the product life cycle. Identification of security concerns and periodical testing of possible issues allow to estimate the severity of all of risks to the business and make informed decisions.

Penneo security strategy is based on a risk management paradigm, for which we focus on observing potential risks to minimize the chances of their verification. Our risk-based approach enables to save time and resources while ensuring the full comprehension of more serious threats.

Read more about Penneo's Security Management System to find out how our IT security is structured

Security tips

Ensuring protections requires a collaborative effort and you have an essential role in building a strong security framework.

Penneo wants to make sure you have access to all the information you might need to protect your environments.

Read our Best Practices to find advice on

  • how to recognize and report suspicious activities
  • how to reduce risk and ensure protection from online security threats
  • what are the recommended system and application access best practices

Customers as a security resource

Penneo's commitment to security takes shape starting from the preliminary phases of product and software development. From establishing internal projects to implementing IT systems, compliance and safety of our operations are always kept in mind. Our principles and technologies used in order to provide customers with the best outcome allow us to minimize risks, prevent threats and ensure our product security. The actual application of appropriate technical and organizational measures helps to create the foundation for effective prevention and mitigation of vulnerabilities, breaches and leaks, while promoting a stronger awareness of information security and data protection within all departments of the company.

Precautions and cautious planning inform our customer centric management framework and systematically ensure that the IT controls continue to meet security needs and standards on an ongoing basis, so that sensitive data remain secure. However, sometimes it may not be enough. Placing the clients and their satisfaction in the first place, Penneo values the contribution the customers themselves can make by reporting potential issues or worries. Having the widest possible view of the situation and being able to quickly identify the possible problems is as important as our proactive strategy. In other words, our ability to react immediately and efficiently also depends on you, and this is your active role in our security master plan.

Please do not hesitate to contact our Support Team whenever you have issues or questions about Penneo use or you want to report problems and suspicious activities.

How can you submit a potential security incident to Penneo?

Contact us
- Submit a request using our form
- Ask for Remote support
- Call us: (+45) 71 99 98 93

Would you like to check on the operativity of our systems?

Please visit Penneo service Status page where you will be able to see the current status of our services and subscribe to updates. You will be the first to know if something is not working properly and be provided with the latest news regarding Penneo platform availability.

Penneo's Security Management System &
Risk-based Approach

Risk management and monitoring take a central role in the way Penneo is run.
Our security strategy is built on a risk-based approach, for which we focus on observing potential vulnerabilities to minimize the chances of verification of issues.
This risk management paradigm enables us to save time while ensuring the full comprehension of more serious threats.

Data center security


In order to manage and operate its software as a service (SaaS) and offer its product to customers, Penneo uses the IT infrastructure (IaaS) provided by Amazon Web Services (AWS). The choice of this highly-secure world-leading data center has been mainly dictated by security and operational reasons:

  • the services provided by AWS enable us to automate most of our operational task related to the IT infrastructure thus minimizing human interaction. Since people fallibility is one of the biggest threats to any IT based company, heavily reducing the impact of the human factor in our threat scenario helps us provide extremely secure and reliable services.
  • AWS gives us instant access to one of the world's biggest infrastructure resource pools. This allows us to handle any size of workload by automated infrastructure scaling and makes us able to recover from complete system failure in a matter of minutes instead of hours or days.

 

Product Security

Coding and testing practices, vulnerability management, industry standard: Penneo's risk ranking framework

In line with our intention to obtain the best possible results in terms of performance, compliance and safety, Penneo relies on OWASP best practices: in the Application Security field, the OWASP (Open Web Application Security Project) is the worldwide best-recognized organization focused on improving the security of software by providing an unbiased source of information and guidelines.

The OWASP Risk Rating Methodology we use at Penneo involves several steps aimed at determining the severity of a risk based on its likelihood and impact:

  1. Identifying a security risk that needs to be rated: gather information about the threat agent involved, the attack that will be used, the vulnerability and the seriousness of the impact in the event of successful exploit on the business considering the worst-case option.
  2. Estimating Likelihood: it's essential to understand how likely a particular vulnerability is to be uncovered and exploited by an attacker and generally identify whether the likelihood is low, medium, or high by using a number of factors, involving threat agent factors (type and size of the group of threat agents, their skill level, their resources-opportunity and motive to find the vulnerability and the reward in exploiting it) and vulnerability factors (how easy it is for this group of threat agents to discover and actually exploit this vulnerability, how well known is this vulnerability and how likely an exploit is to be detected).
  3. Estimating Impact: it's important to realize what impact a successful attack might have and estimate its magnitude, both from a technical point of view (on the application, the data it uses and the functions it provides) and from the perspective of the business and company operating the application. The latter is probably more relevant since it's the business risk what justifies investment in fixing security problems. Technical impact factors are loss of confidentiality, integrity and availability due to disclosure, corruption and loss of data, and accountability in terms of traceability of threat agents. Business impact factors are financial and reputation damage, level of non-compliance exposure, privacy violation due to the disclosure of personally identifiable information.
  4. Determining the severity of the risk: putting together the likelihood estimate and the impact estimate allows to calculate an overall severity for the risk. This can be done by reviewing the factors and simply capturing the answers or going through a more formal process of rating the factors and calculating the result. Regardless the method used to combine the data, the final outcome will be an estimate of the severity rating for the risk.

 

Change Management

Penneo has implemented a formal change management procedure to ensure that changes are always handled in a consistent and responsible way. The purpose of this ad hoc procedure is to minimize the risk of unauthorized access to data or resources and the chance of failure to process or validate documents. The procedure takes place in the event of alterations concerning both infrastructure and software: for every modification, the security implication is assessed. A change is security critical if it touches one or several of the following areas:

  • authentication
  • authorization
  • firewall changes
  • signature processing
  • document packaging
  • document sealing
  • document validation

Regardless of the level of criticality, changes are always tested, reviewed and approved by at least two reviewers before they are authorized to be released into our production environments.

Every change to a business process has the potential to change the risk profile. When significant changes are made, the risk assessment is updated to reflect the new risk profile. Further, the risk assessment is reviewed and approved by management at least once a year.

 

Business Continuity and disaster recovery


The disaster recovery plan is a direct consequence of the vulnerabilities and worst-case scenarios identified through the performed risk assessment. A formal disaster recovery plan has been determined to detail how operations are re-established in case of emergency. A chain of command is set to minimize the time from when disaster hits until the recovery process begins. The disaster recovery plan deals with two important subjects:

  • how to return to normal business operations;
  • how to keep customers updated about the incident and its consequences.

According to our plan, systems will be re-established in a predefined order based on criticality and customers will be kept up to date with the process and timeline estimates. The disaster recovery plan is tested at least once a year and is kept up to date to reflect the current risk profile of the business.

 

Supplier Management

To be able to deliver a secure high-quality service, Penneo has a formal policy in place to manage third party service providers. Replaceable high-risk or high-impact service providers must be able to produce an annually updated ISAE 3402 assurance report or similar for risk management purposes. These assurance reports are reviewed and assessed annually in order to determine whether any changes or deviations in the third-party providers controls can affect the risk profile of Penneo.

 

Data Protection

Logical security, employee access, isolated environment

Our logical security is built on the principle of least privilege, widely recognized as an essential design consideration in enhancing protection of data and functionality of platform. Its implementation enables a better system stability and improves the system security. The principle of least privilege requires that every user, program or process must be able to access only the information and resources that are necessary for its legitimate purpose: meaning that a user account or process will have only those minimal privileges which are essential to perform its intended function while any other privileges are blocked. The principle also takes shape in the logical isolation of the various segments (production, development, customer support and other corporate departments).

Access to the Penneo production environment is provided on work-based needs. To achieve this

  • a role-based access control model is used
  • access is logged
  • assignment of privileges is reviewed every six months
  • multi-factor authentication by at least two employees is always required to access the production environment and to perform operations such as firewall changes, assigning and revoking privileges, access to backups

Access to the virtual infrastructure is provided through an SSL-encrypted channel while access to the OS level is provided through SSH and its primary purpose is to support the software deployment process.

 

Data Confidentiality

Safeguarding customers' data and documents is a key focal point for Penneo. To protect the confidentiality of our clients and their business privacy, personal data is

  • never used outside the production environment for internal purposes;
  • only accessible for Penneo employees if access is explicitly granted by the data owner;
  • never shared with a third party through our systems unless initiated by the data owner.

Data is protected in accordance with local, national, and international statutes and regulations.

The access level security is configurable by the individual customers, but Penneo always advises customers to use the strictest settings applicable for the customer use case. In the strictest case all access to customer data is restricted using multi-factor authentication and data is always transmitted relying on end-to-end encrypted channels.

 

Encryption: NIST standards, AES 256, key hierarchy

Sensitive data and Personally Identifiable Information (PII) are encrypted following the cryptographic standards defined by the National Institute of Standards and Technology (NIST). Penneo only uses encryption algorithms that are FIPS-approved and NIST-recommended. In particular, our security system follows the Advanced Encryption Standard (AES), a specification for the encryption of electronic data established by NIST: originally adopted by the U.S. federal government, AES encryption has become the industry standard for data security and is used worldwide. To be more specific, Penneo's encryption system is built on AES 256, which provides the strongest level of encryption: the result is a tremendously sophisticated form of encryption that is virtually impenetrable using brute-force methods.

AES brings additional security because it uses a key expansion process in which the initial key is used to come up with a series of new keys called round keys; these round keys are generated over multiple rounds of modification, each of which makes it harder to break the encryption. In fact, what is most likely the best way to securely store encryption keys is using a key hierarchy, i.e. organize encryption keys so that a master key is used to encrypt other keys that are in turn used to encrypt the actual data you want to protect. A key hierarchy provides a powerful pattern for storing an application's cryptographic keys and allows to use different keys for different data while focusing your protection efforts on the master key.

An important aspect of a key hierarchy is that the master key can decrypt all the other keys, and therefore (indirectly) all of the data. To protect a master key while keeping it accessible and available when needed, Penneo uses the AWS CloudHSM service that stores the encryption keys in an HSM (Hardware Security Module), a purpose-built hardware designed to protect sensitive data. The HSM provides physical and logical protection for cryptographic key material and meet some of the most stringent security standards, offering a high level of security for the key and the data it encrypts.

 

Automated and encrypted backups of our databases

All data stored in the Penneo production environment is mirrored between three data centers in two physical locations and stored on multiple devices in each data center.

At Penneo, we define two classes of data that are treated differently when it comes to backup strategies. These categories can be described as follows:

  • Customer data (documents): the document storage solution utilized by Penneo mirrors data in six different physical facilities. The solution performs regular, systematic data integrity checks and is built to be automatically "self-heal" if data is lost in four storage facilities. Every document is versioned and every change can be rolled back.
  • System data: it's backed up daily with support for point-in-time recovery; the retention period for these backups is 30 days.

A Backup restore test is performed at least once a year and kept up to date to reflect the current risk profile of the business.

 

Disposal and data deletion policy


We have implemented a deletion policy for all customer data. The policy states that even though data is deleted through the customer facing interfaces, it will only be flagged for deletion in the production environment, i.e. not hard deleted. Hard deletion of a document (including all revisions) can only be performed by at least two employees working together. Data flagged for deletion will be hard deleted within 60 days of being flagged.

 

Customers responsibility

The customer is responsible for assessing any sensitive data and activating the build-in system functionality before sending documents for signing. Penneo provides its clients with configurable security features, but always recommends using the strictest settings applicable for the customer use case to ensure greater protection.

Even the strongest cryptographic systems are vulnerable if a hacker gains access to the key itself. That's why utilizing strong passwords, multifactor authentication, firewalls, and antivirus software is critical to the larger security picture. Properly trained users are the first line of defense against online threats.

Best practices to protect your business from online security threats

At Penneo, we consider security as a collaborative effort and we count on your help to maintain the safety of our services and protect your environments.

DO

  • Keep your network and devices updated: make sure to patch and update your systems and applications whenever one becomes available, use the newest web browser and an up-to-date antivirus software
  • Login with your e-ID; as a second option, use two-factor authentication that gives you and extra layer of protection, finally as a last resort, login with username and password. The same precautions are recommended for using the API
  • Use strong and tough to crack password: choose a combination of alphanumeric characters using upper and lower cases and symbols to make your password harder to guess, the longer the better
  • Keep your passwords and other login details confidential to store securely your sensitive information
  • Double check the sender of the emails you receive: verify the legitimacy of the sender before you open any links or download any content. Penneo emails are always digitally signed and this makes it easier to unmask false senders; the same applies to our documents that contain seals to confirm their authenticity
  • Encrypt sensitive documents: protect the confidentiality of your data while creating a document for signature by checking the box of "The case file contains sensitive information", so that the recipient must use his e-ID to open the link with the document
  • Always report any suspicious activities. Let us know when you think something looks fishy so we can improve our measures to prevent it
  • Do acknowledge that just having a presence online means that you are a potential target of cybercrime
  • Do implement awareness for compliance to improve the security profile of your enterprise

DON'T

  • Don't use outdated technology that is more susceptible to spyware, viruses, hacking and hardware failures which have adverse impacts on the flexibility of IT
  • Do not use username and password to login except as a last resort; if you have to use a password:
    • don't use the same password for every account
    • don't share your password
    • don't store your password in an unsecured location (anywhere someone else has access to it)
    • don't enter your password on an unsecured network
  • Don't get tricked by dodgy emails: if you receive unwanted/unexpected and dubious looking emails, don't open links and don't download attachments. Look for obvious errors or additional letters within the domain. Don't respond to emails asking for confidential information or secure content; if you think the request is legitimate, reach out to our Support team to get confirmation.
  • Don't trust emails that are not digitally signed by Penneo, nor documents that do not contain our seal
  • Don't click on pop-up ads neither download any form of online content from unknown or suspicious websites
  • Don't believe that cybersecurity is not your problem or that there is nothing you can do about it

 

We all play a part in building the security framework.

You can mitigate the threats by following these guidelines designed to empower your business and keep it as safe as possible. These recommendations will greatly improve your company's protection while increasing cybersecurity throughout your entire organization. Understanding what security threats are the most common and how to detect them is the primary step towards IT protection.

If you think you've come into contact with an issue with privacy, a potential security incident, spam, Penneo-themed fraudulent emails and websites or account misuse and/or abuse, or other security incidents and events, please do not hesitate to contact us.

Get started with Penneo today

Try now and get your first signatures for FREE!