Security 

Data Security

We at Office24by7 understand the importance of our responsibility to protect and secure your data.

In order to ensure your data and to fulfill the responsibility, we have a system in place in all our business functions.

The detailed account of systems has been mentioned hereunder, to give you a glimpse of measures we have taken:

 

Physical Security

Office24by7 premises in Hyderabad and other cities are in an appropriate physical security. It is strictly observed that only authorized personnel have access to office buildings. Full-scale biometric authentication process of multiple levels configured for employees to gain access. Some of the key and critical locations related to servers and all are manned by the security of physical and biometric and have access to authorized individuals only.

All the documents are stored in foolproof cabinets and accessible to authorized personnel. Entire office premises equipped with CCTV and continuously monitored by authorized security persons. All the visitors are checked and monitored when I the building.

Office24by7 office has uninterrupted power supply 24×7 and additional alternative power supply mechanism is in place to run the function smoothly in case the power supply is disrupted.

Application Security

All Office24by7 Applications and services are hosted on Amazon Web Services. The databases and applications infrastructure servers are maintained and managed by cloud service providers.

Our approach to security is multi-dimensional where engineering, architecture, deployment and Quality Assurance are taken care to ensure high standards.

Application Architecture

Our Applications is protected by Amazon Web Services firewall, which can counter any kind of regular DDoS attacks any other network breaches. Web Application Firewall constitutes the second layer which protects users, spam and offending IPs.

It is to be noted that the security on any cloud-based products is a responsibility of both the owning company and business associate or partners who own the accounts on the cloud. Hence the applications should be accessed by valid-users only. Our products, besides password policies, come with a standard to secure business data on cloud including the Sales Groups, permission templates, Role-based Access and Whitelisting of IPs.

We at, Office24by7 use multi-secured model to host al our applications. Our programs are accurate and bring only the data belonging to the logged in account only. Under no circumstance, a customer gets the other customers data. Access to our staff to the applications is also regulated, monitored and periodical audits are undertaken to ensure safety.

Application Engineering and Development

Security testing is a part of our software development cycle, where testing is given equal importance in the development process. A complete security review is compulsory for application engineering process at Office24by7.

Software Changes and Release Management

Our production environment is subjected to a strict and systematic process. From the development to the testing environment, assessing the changes to staging for the production and subsequent deployment the protocol is strictly adhered to. Entire production deployment is taken care of the development team only and no one else can access the production environs.

Production Monitoring

A dedicated team monitors 24by7 for the possible attacks and suspicious activities over the applications.

We also conduct third-party audits on a regular basis to asses and certify the state of security of our Applications and Services.

Data Security

Offcie24by7 gives high priority to customer data safety and security. We take the managing of all our applications and customer data very seriously.

Our development team doesn’t have any access to production server data. All the changes in web content, infrastructure, and application are documented compulsorily according to a data change process.

The data protection and integrity are taken very seriously at the Office24by7. All the data is encrypted by a standard ASE-256 bit, and the keys are managed by AWS Key Management Service. Other transit data is encrypted by a standard FIPS- 140-2 over a fully secured connection for all accounts hosted with us.

Development and testing are carried out in different environments, and the access to different environs and systems is monitored strictly, based on the necessity to know, appropriate to information classification with inbuilt segregation and a quarterly review.

Data Deletion

We strictly ensure that your data is deleted clearly when your account with us is terminated. The same detailed have been listed on our terms of service clearly.

Network Security

At Office24by7 office network is secured by industry-grade superior firewalls and antivirus software. The same is followed for the network where updates are developed and managed to alert about the intrusions, threats of incidents. Firewall logs are saved and reviewed on regular basis. Remote access facility is allowed only through the office network, particularly to the production unit. Remote user’s logins are audited and reviewed periodically too. Production system access is strictly regulated based on the multi-factor authentication process.

All our centers where data is stored are hosted in AWS are ISO 27001, SSAE-16 and HIPAA compliant.

Reporting Issues and Threats

For Office24by7, customer data protection is of paramount importance, hence we take it seriously. If anyone finds any data issues, or shortcomings in the security and safety of data or privacy of Office users, please write to security@Office24by7.com with the details, so we can work to get better of that.

We request you not to share or publish with the third parties any unresolved vulnerabilities. On submission of a detailed report, our concerned team attempt to do the following:

Acknowledge the report and respond in a timely manner.

Investigate the issue thoroughly, and give an estimated time frame to solve the vulnerability comprehensively.

At times, we may ask you to guide us in accurately identifying the issues to figure the better means to resolve the issues.

After fixing the vulnerability, we will inform you.

We not only appreciate the help to identify, we would also acknowledge the contributions, if any such, once the threat is resolved.

Public Disclosure Policy

This program, by default, is in the mode of “Public Non-disclosure”, which means:

“Public disclosure of the Program is not allowed. The vulnerabilities found in the program shouldn’t be released in the public, doing so will be liable for legal penalties.”

Fine Print

We may terminate or modify this program’s terms at any time. The changes we make to this program won’t be applied retrospectively. Office24by7 employees and their family members are not eligible for benefits and bounties.

Responsible Disclosure

We encourage people outside our group helps us detecting the security issues and vulnerabilities on the platform according to the laid down following guidelines:

Please do write to support@office24by7.com with the details of vulnerabilities and potentials in our product if the following criteria is met. We will revert to you in no less than 48 hours.

Please don’t do security testing in the existing customer accounts.

Doing any tests shouldn’t violate any privacy policies and disrupt production servers. Also, ensure to not to delete or modify unauthenticated user data or degrade the experience.

If the vulnerability you found is valid, we would be glad to acknowledge the same in our hall of fame page.

The domains mentioned under have the scope:

run.office24by7.com

api.office24by7.com

Exclude the following test cases while conducting your tests:

a) Denial of Service attacks and Distributed Denial of Service attacks.

b) Rate limiting, brute force attack.

c) Missing HTTP security headers and cookie flags on insensitive cookies.

d) Clickjacking/UI Redressing attack.

e) Self-XSS and XSS that affects only outdated browsers.

f) Host header and banner grabbing issues.

g) Automated tool scan reports. Example: Web, SSL/TLS Scan, Nmap scan results etc.

h) Login/logout/low-business impact CSRF.

i) Unrestricted file uploads.

j) Open redirects – unless they can be used for actively stealing tokens.

k) User enumeration such as User email, User ID etc.

l) Session fixation and session timeout.

m) Phishing/Spam (including issues related to SPF/DKIM/DMARC).

    Hall of Fame

    We sincerely thank the following individuals for their voluntary and responsible disclosures of security vulnerabilities in Office24by7 platform. This helped us to plug the issues and serve our customers better.

    Oops! Nobody’s here yet.