Frends Security Description

1. Background and Purpose

Frends is committed to providing a highly secure and reliable integration, automation and API Management service.

This includes maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed.

To achieve this, Frends uses proven and tested technologies, practices and procedures, as defined in this “Frends Security Description” document. Frends reserves the right to update this document and the information provided herein from time to time at its sole discretion. Frends shall inform the Customer of any such updates without undue delay.

2. Compliance

2.1. Hosting Environment and Physical Security

Frends is hosted on a public cloud infrastructure from Microsoft Azure. Microsoft Azure maintains high standards of security for their data centers. Customers can read more about Microsoft Azure at: https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security.

Frends supports hosting in various Azure Cloud Regions, at the Customer’s option.

2.2. Network Security

The Frends Platform is only accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Frends follows the current best practices for security, including the use of strong encryption algorithms of atleast 128 bits.

Frends also uses secure protocols for communication with third-party systems: usually HTTPS, but other protocols such as SFTP and FTPS are also supported.

For on-premise systems, access requires the installation of an on-premises agent behind the firewall, which communicates towards the central Frends public cloud over an encrypted link, using TLS 1.2.

Frends uses a multi-tier architecture that segregates internal application systems from the public Internet.

Interior as well as exterior network traffic uses secure, encrypted protocols. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized secure logging system.

2.3. Authentication

Customers log in to the Frends Platform by using a password which is known only to them. Password length, complexity and expiration standards are enforced.

Frends supports automatic session logout after a predefined period of time. The timeout is set to 168 hours.

Frends supports SSO with Azure Active Directory (Office 365) https://docs.frends.com/en/articles/4791334-connect-to-frends-using-your-own-azure-ad-office-365. This allows an enterprise to manage access to the Frends Platform as well as other enterprise applications and apply custom authentication schemes and policies. Frends' best practice recommendation is for all Customers to utilize SSO for authentication.

2.4. Application Development and Testing

Frends has a comprehensive software development lifecycle process that incorporates security and privacy considerations. Design and code reviews, as well as unit and integration testing, are part of the process.

Development staff receive regular training on Secure Coding Practices, including avoidance of the OWASP Top Ten Web application vulnerabilities.

2.5. Vulnerability and Penetration Testing

Frends conducts regular internal vulnerability testing while also engaging a qualified third party to conduct a regular platform level vulnerability and penetration test. This third party vulnerability and penetration test is conducted at least once every calendar year. Current vulnerability and penetration testing partner is Nixu Corporation (https://nixu.com).

The results are analyzed and vulnerabilities are addressed based on risk and severity.

2.6. Data Retention and In-Rest Encryption

All information on the Frends Platform is encrypted at rest and in transit. All data stored in the Frends Platform is encrypted at rest using a strong encryption algorithms such as AES-256.

All data is encrypted with multiple keys managed by Microsoft Azure Key-Vault services. More information about Azure Key Vault and Microsoft's best practices regarding key management can be found at https://learn.microsoft.com/en-us/azure/key-vault/general/basic-concepts.

Frends stores monitoring data of all integration executions for a limited time, in order to provide visibility into integration activity and to facilitate testing and debugging. The maximum retention period varies (but is no longer than 60 days) and is configurable on the Frends Platform.

If configured by the Customer, zero retention can be selected on a per-integration basis, in which case data will be held only temporarily in memory during processing. Frends provides the capability for the Customer to download all of the monitoring data through HTTPS endpoints for long-term storage by the Customer.

2.7. Data Masking

Frends provides the ability to mask out sensitive data for additional security. The input and output of a masked integration task are not shown in the Process Instance -view within the Frends UI and are not stored within the Frends Platform, data from those steps is only stored transiently in memory.

2.8. High Availability

Frends is built to be highly available and resistant to service disruptions. Technical measures used to ensure high availability include running Frends services in redundant clusters, utilizing redundant cloud Availability Zones according to Azure best practices, and continuous back ups of all of the databases associated with the Frends Platform.

Current system status and service disruptions in the past are available at https://status.frendsapp.com.

Frends has implemented a business continuity and disaster recovery program. This program includes measures to ensure the high availability of Frends' IT assets, but also contingency planning for natural disasters and other possible disruptions.

2.9. Frends’ Organization

Employment at Frends requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy. Frends applies the principle of least privilege for access to all services. All access and authorization rights are reviewed regularly. Access or authorization rights will be withdrawn or modified, as appropriate, promptly upon termination or change of role for an employee.

Frends maintains an information security training program that is mandatory for all employees.

2.10. Vulnerability Disclosure

Frends welcomes reports of vulnerabilities or other security issues. Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status.

Reports can be submitted to support@frends.com.