1. Introduction

In light of the sensitive data processed within our software, Actito has implemented stringent procedures to safeguard the security of customer and user data.

Below, we have provided an overview of the key security processes at Actito:

2. Production Environment

Actito employs a cloud-based deployment model on its own infrastructure for its Software-as-a-Service (SaaS) solution. All software maintenance and configuration activities are carried out exclusively by Actito employees. To ensure maximum data security, each client's data is stored in dedicated databases. Our security measures include industry-standard practices such as firewalls, intrusion detection, environments isolation and rigorous change management.

3. Scalability

Actito's distributed architecture for data collection and processing enables seamless scalability to accommodate an increasing number of clients and rising traffic volumes. Continuous monitoring through various processes and tools ensures the optimal utilization of network resources, operating systems, applications, and capacity, with systems being scaled as predetermined capacity thresholds are reached.

4. Risk Management

To bolster its business continuity planning, Actito has established comprehensive risk management practices. These practices assist management in identifying and proactively managing potential risks that may impact our ability to deliver reliable services to our clients.

5. Policies

Actito maintains and regularly updates a comprehensive Information Security Policy. This policy outlines employee responsibilities regarding the confidentiality of client data and the acceptable use of resources. All staff members are required to review and acknowledge this policy.

6. Segregation of Duties

Only authorized personnel are permitted to administer systems or undertake security management and operational functions. The authorization and implementation of changes are segregated responsibilities whenever applicable to ensure the utmost security. Access to client data is strictly limited to legitimate business purposes.

7. Employee Screening

Actito mandates that all employees undergo background checks (allowed by local regulation) and provide specific identity verification documents upon employment.

8. Terms of Employment

General information security responsibilities are documented in the Actito Information Security Policy, which all employees must sign as part of their onboarding process.

9. Training

All new employees, whether full-time or temporary, receive comprehensive information security training as part of their onboarding. An annual security and privacy training requirement update ensures employees continually refresh their knowledge and understanding. Additionally, they are asked to follow monthly online training and a specific anti-phishing training tailor made. Employees who handle client data receive specialized security training.

10. Termination of Employment

Actito manages a formal termination process that includes the removal of any potential access to Actito and related data. Exit interviews serve as reminders to former employees regarding their remaining employment restrictions and contractual obligations.

11. Documentation and Change Management

Critical and repeatable processes and security checks within Actito's production environment are either documented in procedures or implemented as automation scripts. We maintain and adhere to formal change management processes, tracking and documenting all changes to the production environment, with regular involvement from relevant business owners.

12. Environments

Both scheduled and emergency changes undergo rigorous testing in separate environments. These changes are reviewed and approved by Engineering and Testing Support before deployment to the production environment. Testing, aside from deployment validation, is strictly prohibited in the production environment.

13. Backup

Actito employs fully redundant databases to store all client data. Daily data is backed up on a scheduled basis, encrypted using a state of art algorithm, and stored in geographically separated locations.

14. Logging and Monitoring

Actito utilizes an industry-standard enterprise application management solution to monitor systems around the clock. This system facilitates alerting, trend analysis, and risk assessment.

15. Encryption

Any customer data within the Actito application is encrypted during transit over public networks using Transport Layer Security 1.2 or newer encryption (FTPS/HTTPS). Data provided by Actito's clients within the application is stored using industry-standard AES-256 encryption at rest.

16. Development and Support Process

Actito follows an agile development methodology characterized by iterative, rapid release cycles. Security and security testing are integral components throughout the software development process, with Quality Assurance involvement at every phase to ensure adherence to security best practices.

17. Incident Process

Actito has established a robust Incident Management Procedure to address events efficiently and promptly. This procedure framework outlines deployment protocols, defines criteria for incident severity, outlines the investigation and diagnosis workflow, details documentation and reporting requirements, and provides contact information. Security incidents are escalated from initial responders to the relevant Account Manager for client notification, with critical issues remediated immediately and lesser-severity issues evaluated for resolution within the standard development process.

18. Business Continuity and Disaster Recovery

Our Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) activities prioritize critical functions necessary for delivering Actito's SaaS Solutions to our clients. The scope of BCP and DRP efforts varies according to the criticality of each function or facility, maximizing the effectiveness of these measures.

19. Redundancy

Actito's SaaS Solutions architecture incorporates redundancy throughout the infrastructure, ensuring resilience from load balancers and storage units to processing engines, power systems, and telecommunication providers. There are no single points of failure, and all data is simultaneously written to two separate locations for added redundancy.