Where are the application and the data hosted?
Users can choose where their Meisterplan system should be hosted. Available data centers are located in Oregon, USA, and in Frankfurt/Main (Germany).
Is the hosting provider certified for information security?
Yes, the hosting provider AWS has various security certificates including ISO/IEC 27001 and offers Service Organization Control (SOC) reports of types 1, 2 and 3.
Details about AWS compliance and information security certificates can be found on their compliance page.
Is there any disaster recovery plan?
- For the production servers, we have identical fall back systems running.
- There is a live database replication active, so in case of hardware failures we can switch to the replicated system.
- In case of a failure of the complete data center, we are able to switch to another hosting provider using the database backups.
Are the services and the network monitored?
We are monitoring the following services:
- Network https monitoring and uptime from different locations (USA, UK, DE)
- Application services (proxy server, application server, database)
- Hardware resources (disk space, memory, network traffic, etc.)
- Log files
How do you backup the data and for how long do you keep the backups?
- Database backups are created hourly. This includes trial account databases.
- The backups for customers from the USA and Canada are stored on servers in Oregon, USA. The backups for all other customers are stored in Frankfurt/Main in Germany.
- We keep the database backups for 100 days.
Are the connections to the servers secured?
Yes. Non-secured connections are not allowed.
- The clients are connected via https (TLS).
- For administration and deployments, we are using Ansible scripts. These scripts are deployed via a secured SSH connection.
- Web services (REST, SOAP) can only be accessed via https (TLS).
- The reporting database is connected from Tableau Online, ODBC, etc. via a secured connection (SSL).
What physical security measures are installed at locations where Meisterplan customer data will be retained, processed and backed up?
For the security measures in place at data centers operated by Amazon Web Services, see https://aws.amazon.com/compliance/. At itdesign, we employ the physical security measures outlined in Meisterplan's Security Policy, figure 9 (https://meisterplan.com/security-policy/).
What measures are in place to mitigate and limit the impact of D(D)oS attacks on Meisterplan infrastructure?
Meisterplan infrastructure is protected by AWS Shield technology against common infrastructure (layer 3 and 4) attacks including SYN/UDP Floods and Reflection attacks to ensure high availability of the Meisterplan service.
How do you limit access to customer data and the service itself to only authorized, authenticated individuals?
Only our operations team at itdesign has access to security critical systems. Our servers can only be accessed via secure SSH keys. System deployments are fully automated and logged. All manually performed maintenance work is also logged.
How are you logging and monitoring potential unauthorized activity?
Our logs are stored at a separate location with its own authentication mechanism. We do continuous monitoring of these logs.
When do you delete Meisterplan data?
Meisterplan data will be deleted upon request or when the contract is terminated.
How do you dispose of storage media when it reaches its end of life?
We erase end-of-life products in accordance with the legal requirements for doing so.
What are your processes for incident management, disaster recovery, system monitoring etc.?
Processes for change management, incident management, vulnerability management, disaster recovery, network and system monitoring are in place.
Under which circumstances are customer environments accessed by your employees? How is this access logged?
Customer environments are only accessed for automated processes like backups and deployments and other maintenance work (changing the infrastructure etc.) Access is logged by the deployment and maintenance tools.