Security at gtechna

Information Security

At gtechna, security is an absolute priority. We not only meet industry standards for business, but aim to improve and exceed them whenever possible with each product to provide our customers—and their users—the comfort of working with a partner that takes security seriously.

As such, we ensure that every employee understands and adheres to the security standards both the industry and business are beholden to and use some of the best possible tools to help ensure and enforce compliance internally.

Although we believe that maintaining security is everyone’s responsibility, our program is led by our Information Security Specialist.

SOC2 Compliance

As a highly security-focused business, we adhere to and often exceed many industry standards, including compliance—which is why we are certified SOC2 Type I and SOC2 Type II compliant. To access our SOC2 compliance report, click here.

PCI Compliance

Our payment processors are 100% PCI Compliant, ensuring that users’ card data is handled with the utmost care and security. Our payment gateway features:

  • Point-to-point Encryption
  • Tokenization (to avoid storing cardholder data)
  • Multiple layers of security, including:
    • Credit card vault
    • Firewalls
    • SSL
    • Security and vulnerability scans
    • And more!

Our payment processor, Card Connect is a certified Level 1 Service Provider. gtechna never has access to raw payment details.

To access our certification report, click here.

Internal
Security

Identity Verification, Authentication, and Access Management

To ensure maximum security on the user level, here are the measures we deploy:

Identify and Authenticate Users

  • Use Multi-factor Authentication to reduce the risk of credentials compromise
  • Enforce strong password policies
  • Mandatory password minimum length
  • Minimum inclusion of special characters
  • Password history: set how often an old password can be reused
  • 30-60 day password duration

Assign user access rights

  • Provide role-based Access Control

Create and Enforce Resource Access Policies

  • Unique resource policies must be associated with every resource in the system

Hardware Security

All of our employee computers are fully managed and monitored powered by Crowdstrike Falcon endpoint detection and response software to ensure security.  Our IT team's mission is to continually improve which means that it practices ongoing assessments in the rapidly evolving security space. With this top of mind, going forward, all new-issue hard drives will utilize Bitlocker encryption.

Physical Security

Our office is secured by key fob access doors to appropriately restrict access to the premises. All exterior entrances and exits are actively observed and captured with a closed-circuit (CCTV) camera system, and the office is additionally monitored and protected by a comprehensive alarm system.

Turquoise ellipse
Solid turquoise ellipse

Multi-layer Network Security Protocols

Firewalls at different levels to secure access to private networks and resources, including between:

  • Internet and application server
  • Application server and database server
  • Application server and file server
  • File server and other auxiliary firewalls (i.e. backup servers, etc.)

Firewall security features:

  • Mitigation of DDoS attacks
  • IP whitelisting to limit network access by IP

In addition, inbound and outbound ports are kept to a bare minimum to reduce risk.

Group of rectangular spheres

Monitoring - Vulnerability Scans

  • Basic notifications for security logs and system messages
  • Customized vulnerability scans with notifications
  • Third-party PCI certification security testing for monetary transactions
  • Routine monitoring by security agents
  • Routine penetration testing on cloud infrastructure and third-party components

Security Education

To ensure each and every team member understands and participates in their ongoing role in regards to security, we provide ongoing security and cybersecurity training throughout the year. Each new employee that is brought on board is required to attend an introductory Security training session within the first month of joining our team to help them learn how to identify potential threats and how to respond accordingly.

Customer Data and Privacy

Like our approach to security, we take customer data and privacy seriously and handle them both with the utmost care. As such, we hold strong and comprehensive Data Protection Addendums (DPA) with our data management partners to ensure our customers’ data is properly protected.

Click here to access the DPA for Microsoft Dynamics.

Click here to access the DPA for HubSpot.

gtechna is primarily hosted on AWS, which provides us access to important benefits they provide their customers, including physical security, redundancy, scalability, and key management.

In addition to the benefits provided by AWS, our software has additional built-in security features, including:

  • Two-factor authentication
  • SSO
  • Role-based permissions
  • SSL certificate
  • Backups and versioning
  • Customer data and privacy protection
  • Server contains the minimal number of applications and third-party software
  • OS and application are continually updated with the latest security patches and service packs
  • Web applications are compliant with security standards that adhere to OWASP suggested security practices concerning:
    • SQL Injection
    • Cross-site Scripting (XSS)
    • Cross-site Request Forgery (CSRF)
View our security profile, policies, and procedures.

Application and Platform Security

Data Encryption

  • Industry-standard AES-256 Data Encryption applied to the underlying storage for operational data, automated backups, and read replicas
  • SSL/TLS encryption used for data in transit between applications and database instances
  • All-access to applications encrypted and secured with HTTPS using TLS 1.2.
  • HTTPS used over port 443 which opens from a load-balancer and is then forwarded internally to the application server
Data encrypt illustration

Infrastructure and Servers

  • High performance, with the latest service packs and security patches applied and controlled by updated system checkers
  • Host configuration hardened against vulnerabilities, e.g. deploying hardened operating systems, running a set of minimal services based on secure build images
  • Passwords for each account applied and controlled by strict security and password policies with the highest security measures
Turquoise ellipse

Back-Ups & Archive

  • Servers and databases backed up daily
  • Backups moved to another secure data center to ensure safety
  • Backups encrypted using Industry Standard AES encryption
  • Backups available on request
  • Services are redundant with high availability
  • In case of a disaster recovery or any other case where a backup is required, steps in place to restore within a minimal time
Group of rectangular spheres

Access to Data

Access to customer data is limited to only those with roles that require it to perform their job duties, such as the support and development teams.

Small solid turquoise sphere

Data Retention and Deletion

At all times during the term of a customer’s contract of service, the customer has the ability to access, extract, and delete their customer data stored within the bounds of our servers as they see fit. gtechna will otherwise retain customer data that remains stored on its servers for 90 days after expiration or termination of a contract so that customers may still extract any necessary data. After the 90-day retention period ends, gtechna will disable the customer’s account and delete all customer and personal data stored on its servers within an additional 90 days, unless authorized through an appropriate DPA to retain such data. Once an account is deleted, all associated data are removed from the system irreversibly.

For any personal data in connection with those related to gtechna services, gtechna will delete all copies after the business purposes for which that data was collected have been fulfilled or earlier upon the customer’s request, unless authorized through an appropriate DPA to retain such data.  

gtechna’s services may not support the retention or extraction of software provided by the customer. gtechna has no liability for the deletion of customer data, services data, or personal data as denoted in this section.

gtechna may hire subprocessors to provide application support and/or limited or ancillary services on its behalf. When committing to an engagement with gtechna, the User’s consent also applies to subprocessors as well, but will be handled with the same standards as gtechna in regards to data privacy and security. As such, gtechna is responsible for its subprocessors’ compliance with gtechna’s obligations under this DPA.

When engaging any subprocessor, gtechna will secure a written contract that details the access and use of Customer Data, Professional Services Data, or Personal Data in accordance with the gtechna services they have been retained to provide and is otherwise prohibited from using said data for any other purpose. gtechna agrees to oversee Subprocessors to ensure these contractual obligations are met. Should a Customer have any concerns about a potential or current Subprocessor, they are encouraged to reach out to our team to express their concerns so a mutually agreeable resolution can be made.

Third-Party
Subprocessors

Penetration Testing

To routinely ensure security, gtechna conducts 3rd party penetration testing at the very least annually, but often more, and utilizes permission-based access to view penetration testing reports. In addition, we also use scanning tools to monitor and detect vulnerabilities. It is against gtechna’s Terms of Service to probe, scan, or test the vulnerability of provided services or any system or network connected to those services.

Third-Party Risk Assessment

At gtechna, we know how important the 3rd party vendor risk assessment process is to providing security services that meet our standards on cybersecurity, IT, privacy, data security, and business resiliency. With that in mind, our partners routinely undergo testing, questionnaires, and certification processes to ensure that those standards are upheld and unified so our customers and their end-users get the privacy and protection they deserve.

Responsible Disclosure

If you believe you have discovered a vulnerability within gtechna’s applications, believe your account has been compromised, or are seeing suspicious activity, please submit a report to us. gtechna does not participate in bug bounty programs, nor provide monetary rewards for findings

Meet your authority on everything security, Emilio Laloshi

With a comprehensive background in hacking prevention and developing security measures, Emilio will help bring up-to-date security to your organization.

Read Q&A with Emilio

Access Security Documents

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAcceptPreferences