LOPD compliance (Personal Data Protection Law)

Information Storage

Athento stores data in data centers across Europe (third-party datacenters). There is also an option to use the data center in Canada. All our european and mid-east asia clients are located in european data centers. Our US and Latin american customers may choose to be hosted in Europe or Canada.

Athento’s data centers provider follows strict measures of security and protection against other environmental elements.

Document and Database Storage

Documents and database information are stored in filesystem in servers. It is possible to encrypt the repository of documents at the request of the client.

Data Transfers with United States and UK

The documents of the clients of Athento Cloud, as well as the information on their documents (metadata) do not undergo any transfer to the mentioned countries. The data is stored on servers in France and/or Canada.

IMPORTANT: There will be data transfer to United States or UK if a user is placed in those countries and the user uses Athento.

The customer is responsible to have a Security Policy that controls what a user can or cannot do if the user is located in those countries and needs to access documents or information in Athento.

Identification and authentication

User identification and platform access control

The platform has a login system that requires of the introduction of a password and a valid user. Each user is identified unequivocally.

By default the user is authenticated in the platform by filling username and password in the login page. This information is compared to that stored in the database or transmitted by the configured identity provider. If the user name or password is invalid, a message is sent to the user.

Athento ECM uses authentication mechanisms based on JAAS (Java Authentication and Authorization Service) in a general way. Any request made to the platform must be authenticated, although public access channels may be offered for publication of anonymous documents or services.

Passwords managed in the system are encrypted if user management is done internally on the system or delegated to the user directory with which it supplies user or group information, for example, LDAP or ActiveDirectory, with all the Security applications included in them.

In addition, Athento ECM has the following possibilities for users and groups security management:

1. Integration with user directory systems such as LDAP and Microsoft Active Directory
2. Complete management of users and groups, both from the user directory and also from Athento’s own user/group directory. Allows the configuration of one or more user and / or group directories.
3. SSO Authentication and SAML2 authentication (compatible with cloud authentication systems such as Lastpass)
4. Possibility of integration with OAuth

The system supports integration with SSO, so that users can move between corporate applications without having to log in to the document manager, as well, this integration allows to transfer the permissions of the applications to the groups created in the document manager.

The flexibility of the system allows changing the method of authentication that comes by default with the application. The methods offered by the system in this sense are CAS (Central Authentication Service) -LDAP and Active Directory-, Portal Authentication, and Token Authentication.

Passwords

The platform makes use of user directories to control user authentication and password. For this, they are managed by default in an SQLBackend (database) where passwords are encrypted using the default SHA-256 encryption algorithm (also modifiable at declarative configuration time)

The user and the password must be kept confidential by the users of the platform. Users and Athento staff are responsible for protecting this information to prevent unauthorized access to the platform. Athento sends passwords by automatic methods that allow the passwords to be sent individually to the users.

If users forget their access data, Athento provides safe and reasonable methods for retrieving the data, the user is responsible for providing information for identification. In particular, Athento provides a form for password recovery via email. The user must enter the email or username in a form to request the automatic generation of a new password that will be sent via email.

Usernames and passwords can be assigned by several means:

• The client company provides user names (emails or internal user codes in accordance with its identification policy) and initial passwords are assigned through an automatic process that generates random passwords for users. The access data is informed to the user individually and directly via email.
• Admin users can create users from the administration center. By means of a form, the administrators can indicate the username and an email. The platform sends a link for users to activate their account and enter the password that they want to enter the system. In the following video you can see how this mechanism works. (https://vimeo.com/178399498)

Password Changes

The password change is done individually and automatically. From the user profile, the user can change their password.

You can also change it by clicking on "Forgot password". In this case, the user will receive an email with a link to change their password.

Password duration

By default and unless otherwise noted, passwords expire 12 months after they are introduced.

If the user tries to access with an expired password, the system will redirect it to the password change page.

Complexity of passwords

The password must meet at least the following characteristics:

• Length: Minimum 8 characters
• Characters to include: minimum two numeric digits, minimum one special character and at least two uppercase letters

Passwords already used

By default, a user password can not be reused for less than 720 days.

The system will inform the user of this circumstance.

Preventing unauthorized access

When a user continuously enters erroneous passwords for more than 5 times, the system prompts him to fill in a captcha. This prevents bots and malicious software from attempting to access the application by entering random passwords.

Access Log

Athento allows you to generate reports detailing which user has accessed which document, information about the creation of documents or about their modification. We can filter by a range of dates or by user so that Athento allows to have at any moment information about the operations that each user performs.

The report stores the user ID, the date and time, the document that has been accessed, and so on.

Also, it is possible to know the user sessions in a certain time range to know who accesses the platform and denied access attempts to it.

Athento does not delete the previous audit trails.

Data Protection Issues

Record of Data Protection Incidents

Athento has a platform for recording the incidents of its customers.

Users can send their issues to the support mailbox or through the Support Center itself.

Our system of registration of incidents allows to store information on the reported incidence and exchange information for its prompt solution.

Some of the information that is stored for each incidence is:

• Type of incidence
• Time and date in which the incident is reported
• User reporting incident
• Person to whom the resolution of the incident is assigned

In addition, the system allows detailed documentation of the incident characteristics, measures to resolve it and, in general, any communication between Athento and the user reporting the incident. It is also possible to add users as a copy of the incident when it is considered that they should be aware of the situation.

If the solution of the problem involves data recovery, our team documents which member of our team performs data recovery, which data is restored and if any manual intervention has been necessary.

Infrastructure security

Datacenter Security Measures

Placing a company's data in the cloud requires guarantees. At Athento, we use data centers to offer the best cloud environments with guarantees in terms of security, redundancy, safe access, safe environments and network security, among others, all required to ensure the safety of the client's documents.

The cloud server environments we use are built on ISO 27001-certified platforms. They have also been awarded the AFNOR standard for information security. The data is located in servers within the European Union, thus falling under the jurisdiction of EU law and in compliance with the Spanish Data Protection Act.

Our storage has the following security measures installed:

• Multiple replication
• Multiple file integrity checks
• Transfers are only carried out using secure protocol
• Immediate fixing of failed resources in minutes

The cloud infrastructure that hosts Athento has a capacity for more than a million servers located in 11 data centers in 3 European locations. Only authorized employees can physically access the servers. The data centers are protected 24/7 by a security card control system, alongside video surveillance and on-site security staff. The facilities are equipped with the latest in fire detection and extinguishing systems. Furthermore, the data centers have a technical team that is constantly on site, ready to act as soon as a failure in any of the servers is identified.

Safe access: It is not possible to access Athento without a username and password previously registered on the system. It is the responsibility of the user to ensure the confidentiality of these access credentials. Athento also offers the option of controlling access to specific documents with the "Access Permission" option, which makes a document either accessible or inaccessible to groups, roles and users.

Daily backups: Athento's team carries out daily backups of the information on the Athento Cloud.

SSL access: This allows for data transmissions to be encrypted using SSL. SSL (Secure Socket Layer) is used to make the transmission of data via the Internet secure, as it encodes and protects the data transmitted using the HTTPS protocol. SSL provides website users with a guarantee that their data will not be fraudulently intercepted.

Compliance with personal data protection legislation: We comply with Spanish regulations regarding the Spanish Data Protection Law. Data Protection Law will soon be the same for the whole of Europe, making it compulsory for Athento to comply with this new legislation.

Online payment security: Online payments are done via PayPal, which complies with PCI DSS (Payment Card Industry Data Security Standard).

Compliance with SOX law (Sarbanes-Oxley): The provider of our cloud infrastructure has been awarded the following levels: SOC* 1 Type I (SSAE 16 and ISAE 3402)** and SOC 2 Type I.

ISO 27002 for service: The provider of our cloud infrastructure works in line with ISO 27002 and ISO 27005 standards for security management and risk assessment and related procedures.

ISO 27001 security certification: The supplier of our cloud infrastructure has been awarded ISO 27001:2005 certification for supplying and operating dedicated cloud infrastructures.

Technological Infrastructure: Our supplier deploys its own optic fiber network around the world. It uses state-of-the-art hardware and technology that is selected, installed and maintained by internal engineering teams.

Our provider network enables impeccable quality of service, regardless of customer location, with a bandwidth capacity of 4.5 Tbps in Europe and 8000 Gbps in North America, as well as a connection in 33 interconnection points Across 3 continents. The company has built its network in a completely redundant way - several security measures have been put in place to eliminate any risk of failure. The redundancy of links also allows the data of our clients to travel the shortest path and thus benefit from a minimum latency.

Data center physical access controls: In our European data centers, all access to physical facilities is strictly controlled. To avoid all intrusion and risk prevention, the facilities are fenced with barbed wire stakes. There are video surveillance systems and motion detection sensors in continuous operation. Activity within data centers and outside of buildings is controlled and recorded on secure servers, while there is a surveillance equipment on site 24/7.

In order to control and supervise access to facilities, strict security procedures have been implemented. Each staff member has a nominal RFID (Radio Frequency Identification Card) plate to restrict their access. Employee access rights are regularly reviewed. To access the facility, employees must present their badges for verification, before passing through the security doors.

Measures against fire: Fire is another controlled risk. Each room in the data center is equipped with fire detectors and fire extinguishing systems as well as fire doors. The data centers comply with the APSAD R4 standard for the installation of extinguishers, in addition it has N4 certification of conformity.

DDoS Attacks: Our data centers offer protection against DDoS attacks. There are 3 anti-DDoS infrastructures of 160 Gbps in operation in our European data centers.

Audits of Ethical Hacking: Athento performs automatic ethical hacking tests every 15 days. These audits seek to control, eliminate or mitigate risks of hacking, phishing, etc. Athento uses manual and automatic tools for these tests. The results are based in Common Vulnerability Scoring System¹. For security reasons, these tools or reports are not disclosed.

Data Transmission: Access to the platform and, in general, any data transmission is done through SSL. SSL (Secure Socket Layer) is used to make data transmission secure on the internet as it encrypts and protects data transmitted using the HTTPS protocol. SSLv3 guarantees users of your website that your data will not be fraudulently intercepted.

Athento’s SSLs use SHA-2 and 2048-bit encryption to stop hackers in their tracks. This is the strongest encryption on the market today. Our certificates support up to 256-bit encryption and are recognized by all of the major desktop and mobile browsers on the market.