Entitle security assurance

As a trusted partner to our customers, we are committed to securing our data, our technology, and our people. We conform to industry-recognized processes, procedures, protocols, and certifications. This is an assurance to our customers of our ability to not only deliver quality services but to protect all manner of customer-related data, infrastructure, applications, and people in our execution of Entitle’s portfolio of services.

Information security compliance

One key way we demonstrate our commitment to security is by being SOC 2 Type 2 compliant. SOC 2 is a widely recognized standard for assessing the security, availability, and confidentiality of a company's systems and controls. To become SOC 2 Type 2 compliant, a company must undergo a thorough audit of its security practices by an independent third party. The Type 2 designation indicates that the company has not only passed the audit but also has implemented the necessary controls and is operating in accordance with them on an ongoing basis.

At Entitle, we take our SOC 2 Type 2 compliance very seriously. We have implemented a range of security measures to protect our systems and our customer's data, including:

• Physical security measures to protect our servers and data centers
• Network security measures to protect against cyber threats
• Access controls to ensure only authorized personnel access sensitive data
• Encryption of data in transit and at rest
• Regular security testing and monitoring to identify any potential vulnerabilities
• Strict policies to ensure that our employees are trained in and adhere to best practices for data security

Data encryption

Entitle’s system runs fully on Amazon Web Services and uses its most rigorous security standards, which are supported by AWS. Data in transit is fully encrypted using TLS; Data at rest is fully encrypted using AWS’s infrastructure.

Deployment models

We respect our customers’ risk appetite and offer two deployment models:

• Public cloud - Multi-tenant SaaS. Customers' sensitive data including applications accessing information and users permissions is encrypted, secrets and access tokens are stored in AWS Key Management Service. We take precautionary measures to ensure customer data is well monitored: Datadog instance is an integral part of Entitle cloud environment, receives logs from the Entitle application as well as from all customers' agents and monitors them.

• Self-hosted - self hosting model which provides security assurances according to Entitle customer's own processes. Entitle Agent is a local agent which communicates directly with all the managed applications, and is hosted by the customer, while Entitle control plane including admin and the end user applications are hosted in the Entitle cloud service. Customer's secrets and access tokens are kept in a vault in their own Kubernetes cluster, while Entitle service stores encrypted user information such as users names, emails, and roles in its AWS environment for example. Customer data going from the local agent to Entitle cloud is sanitized, information and logs sent from the agent to the cloud service consist of sanitized information, which means that no sensitive data enabling accessing the managed applications, including tokens and credentials, will be transferred.

Data access

Employees who have been authorized to view information at a particular classification level will only be permitted to access information at that level or at a lower level on a need-to-know basis. All-access to systems is configured to deny all but what a particular user needs to access per their business role. Access to systems or applications handling confidential, sensitive, or private information follows the Entitle data access request process. All requests require approval by the Information Security Team and a valid authorization request form.

Data disposal

All confidential or sensitive electronic data, when no longer needed for legal, regulatory, or business requirements, is removed from Entitle systems. This includes all data stored in systems, temporary files, or contained on storage media. All confidential or sensitive hardcopy data, when no longer needed for legal, regulatory, or business requirements are removed from Entitle systems.

Data Entitle uses and where it's stored

Infrastructure security

• Server Hardening – All servers are hardened according to industry best practices.
• Segregation Between Office and Production Networks– There is a complete separation between the Entitle corporate network and the production network. Access to the production environment is granted to authorized personnel only, and traffic between the networks is sent over an encrypted tunnel.
• Vulnerabilities Scans – Scans are performed on Entitle’s images and code base, to detect potential security breaches. Findings are documented and reviewed on a regular basis.
• Penetration Testing – Penetration testing is performed yearly to identify security vulnerabilities and possible attack vectors on Entitle’s infrastructure.

Disaster Recovery Plan (DRP)

Entitle has developed a disaster recovery plan to enable the company to continue to provide critical services in case of a disaster. Entitle maintains a backup server's infrastructure at a separate location within the AWS environments. The backup server's infrastructure has been designed to provide clients with business-critical services until the disaster has been resolved and the primary system is fully restored. The alternative processing environment is wholly managed by appropriate Entitle personnel, as is the case with the primary production environment.