Sequence implements and maintains Security Measures that meet or exceed the security objectives required for SOC2 audit and ISO 27001 accreditation (see more on our current certifications).
Sequence may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service.
Sequence is hosted and managed on Google Cloud Platform (“GCP”) across multiple availability zones to support fault tolerance, high availability, and disaster recovery. Additionally, we make use of caching on Google’s global infrastructure network to ensure our products and dashboards load more quickly for users.
Sequence products are based on a multi-tenant architecture that applies common and consistent management processes and controls to all customers. The infrastructure has been designed to provide high availability and all critical infrastructure components are redundant across multiple GCP availability zones.
APIs, servers, and databases are deployed in multiple availability zones each consisting of one or more discrete data centers, with fully redundant power, networking, and connectivity housed in separate secured facilities. More information on redundancy within Google’s availability zones can be found in their documentation.
Network-level security monitoring and protection
We monitor and protect the networks on which we run Sequence within Google Cloud Platform. We follow both industry and Google best practices and are building towards a zero-trust network to offer the best protection for our customer data.
We make use of:
- Virtual private networks (VPCs) and none of the infrastructure that we run has public-facing IP addresses
- Firewalls to limit ingress and egress connections into and from our network, servers and APIs
- An Intrusion Detection and/or Prevention technologies (IDS/IPS) solution that monitors and blocks potential malicious packets
- IP address filtering
- Distributed denial of service (DDoS) mitigation services
- Mutual TLS and service-to-service authorisation between endpoints in our network
- Network Policies that declaratively allow network connections to be made
- Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS)
- Encryption at rest: All our Customer Data is encrypted at rest using the industry-standard AES-256 algorithm
Application security and protection
Sequence uses security monitoring solutions to get visibility into application security, identify attacks and respond quickly to a data breach. Technologies to monitor exceptions, logs and detect anomalies in our applications are being used.
Sequence collects and stores logs to provide an audit trail of our applications activity. All logs generated from our customer-facing environments are stored in immutable, append-only logging stores so that we have a verifiable record of all activity (manual or automated) that take place within our infrastructure and networks.
Sequence operates across multiple, redundant availability zones to offer protection against downtime, data loss or destruction.
Sequence regularly conducts both tabletop and practical disaster recovery test (DiRT) exercises to validate different failure modes and how they can be handled in a way that does not impact customer experience or data.
Sequence’s engineering team invests time and extensive effort in the security of our software, and also the processes in that software’s development and release.
- All code is peer reviewed before its release
- Static Application Security Testing (SAST) is used to detect security vulnerabilities in the codebase
- Automation is in place to ensure security releases in dependencies and libraries are identified and applied
- Clear guidelines exist for vulnerability management and timeframes within which issues must be addressed
- We regularly schedule third party penetration testing of our Service
Internal data access processes and policies
Sequence’s internal data access processes and policies are designed to prevent unauthorized persons or systems from getting access to systems used to process personal data.
Access to customer data is limited based on role-based access, and all access is logged and auditable. All employees who may access data do so under their own credentials, have strong passwords in place, and use two factor authentication to connect to our systems.
All Sequence employees:
- Are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics and professional standards
- Are background checked as part of the hiring process to the extent allowed by local laws and regulations
- Are required to agree to our confidentiality policy as well as policies related to safely handling customer data and acceptable usage
- Undergo security training when they join and at regular intervals thereafter
- Only process customer data under authorisation or only when it is necessary to as part of the continual operation of a customer’s account(s)