Security
- 1. Availability
- 2. Security measures
- Information security and privacy policy
- Certification
- Staff
- Contract management for (Sub-)Processors
- Security incidents & response
- Encryption of data in transit
- Patch management/Network and system security
- Password policy and storage
- Access management
- Physical access control
- Logging
- Application development – security principles
- Vulnerability disclosure
Your data is safe!
Crossuite aims to help its clients work smarter, and we can only do this if our software is a safe and reliable place for your data. That is why safety and security is an absolute top priority for us. This page contains the most important measures in place for guaranteeing the safety and availability of your data.
1. Availability
Is Crossuite always available?
Crossuite has an annual uptime or availability of 99.7%, and we monitor that uptime continuously for both our tool and our website. In the event of downtime or an emergency, our team receives notifications in real-time so that we can react rapidly.
What if certain functions do not work or do not work properly?
If a technical breakdown occurs, we will update you continuously using our statuspage and through notifications in the Crossuite application. We do everything possible to keep you updated on the issue status and to solve it as soon as possible.
2. Security measures
Information security and privacy policy
Our information security and privacy policy complies with the GDPR and any guidelines issued by the authorities, and it is in line with the ISO 27001 and NEN 7510 standards for information security. This policy is communicated internally and implemented in concrete terms by means of documented procedures.
Certification
An information security management system (ISMS) is in place, which was created and instituted in accordance with the ISO 27001 and NEN 7510 standards for information security. The system has been certified by an independent auditor, Dekra.
Staff
Staff are informed of their responsibilities with respect to privacy and information security and we monitor their fulfilment of those responsibilities. Staff that have access to client/patient data are bound by confidentiality.
Contract management for (Sub-)Processors
A data processing agreement is concluded with every permitted (Sub-)Processor, which contractually obliges the (Sub-)Processor to comply with the same obligations for the Processing as contained in the data processing agreement.
Security incidents & response
A documented security incident response plan is in place that is capable of detecting, remedying and reporting data breaches, in accordance with the obligations contained in the data processing agreement.
Encryption of data in transit
All the online traffic to Crossuite runs via an SSL-encrypted connection (Secure Socket Layer, or the secure transmission of information and protection of personal data), and we only accept traffic through port 443.
When you first visit our website, Crossuite sends a Strict Transport Security Header (HSTS) to your browser, which means your connection will henceforth be secured via HTTPS, the safest internet protocol – even if you click onto our website using an unencrypted link, which specifically starts with ‘https://’.
Patch management/Network and system security
We periodically assess whether there are vulnerabilities within the applications, systems and networks we use. Patches and updates for discovered vulnerabilities are installed.
Crossuite uses Amazon Web Services (AWS) for storing data. These servers are subjected to periodic evaluations so that they comply with the latest standards. Because we use AWS as our data centre, our infrastructure is accredited for:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (now SAS 70 Type II)
- PCI Level 1
- C5 Operational Security
- ENS High
- IT-Grundschutz
Further information on the security of AWS is available at this link.
Password policy and storage
In order to create a Crossuite account you must choose a password containing at least 6 characters. We do not store user passwords in text format and only use non-decipherable password hashes that have been encrypted using Bcrypt. This means we protect users from rainbow table attacks and attempts to decipher the encryption syntax.
If a user inputs an incorrect password multiple times (more than five times), the account is locked in order to prevent brute-force attacks (a method for cracking passwords using many attempts). The user can then only log-in again by requesting a new password.
In order to further secure your account we also use Two-Factor Authentication (an additional layer of protection that is only available to the user) by means of email, Google Authenticator or SMS.
Our team uses strong and unique passwords for Crossuite accounts and uses Two-Factor Authentication for every device and service. We also encourage all our staff to use password managers such as LastPass for generating strong passwords and storing them in a safe location.
We also encrypt the local hard drives and screen savers are automatically triggered.
Access management
Our application’s admin functions can only be accessed by a select group.
User access is revoked or changed in good time in the event of any changes to the status of staff, suppliers, clients, business partners or third parties.
Physical access control
Suitable measures are in place (such as locks and alarm systems) to secure the rooms where Personal Data is Processed against unauthorised access.
Logging
Logging is used to see which users are logged in and when, in order to check what processing of Personal Data is performed by which user.
Application development – security principles
In order to comply with all safety standards, we employ strict code reviews for every change or addition to our application.
Vulnerability disclosure
Ever since Crossuite was launched we have actively encouraged users to quickly report any issues in our application and help us to guarantee the safety and reliability of our platform. We deal with and respond to all notifications as quickly as possible.