<img height="1" width="1" src="https://www.facebook.com/tr?id=912742028805538&amp;ev=PageView &amp;noscript=1">
Login Watch Demo Let's Talk

Security Policy

1. Overview

Surefront provides Software as a Service (SaaS) solutions to leading retailers, brands, and manufacturers across the globe. Security is a central aspect to all three pillars of the Surefront Credo; Best People, Best Product, and Best Results and represents a promise of trust between our team, our partners, and most importantly, our customers. This protocol details our practices for delivering on our promise to customers and uphold our credo through diligent information security management.

The objective of this security policy is to provide a framework for managing information security at Surefront in accordance with ISO/IEC 27001 standards. This policy aims to protect the confidentiality, integrity, and availability of information assets and ensure compliance with relevant legal, regulatory, and contractual requirements.

This policy applies to all employees, contractors, consultants, and any other entities who have access to Surefront’s information assets. It encompasses all systems, networks, applications, and data owned, managed, or processed by the company.

Surefront is committed to:

  • Protecting information assets from threats, whether internal or external, deliberate or accidental.
  • Ensuring the confidentiality, integrity, and availability of information.
  • Complying with all applicable legal, regulatory, and contractual requirements.
  • Continually improving the information security management system (ISMS).

2. Access Control

Policy: Access to information assets shall be restricted to authorized individuals only.

Controls:

  • Implement multi-factor authentication (MFA) for all systems.
  • Enforce least privilege and need-to-know principles.
    • All teams at Surefront are required to operate using the Principle of Least Privilege (POLP) with respect to vendor software systems and access to Surefront's application and engineering infrastructure. The Principle of Least Privilege is a security concept that limits any individual user's access to information, systems, resources, and data to strictly what is needed to successfully contribute in their given role/responsibility.
  • Department Heads, Directors, and Managers are responsible for reviewing their teams' information access privileges to ensure they remain in compliance with POLP at minimum:
    • Once every 90 days
    • Upon addition or separation of a team member
    • Upon change of role or responsibility of a team member.

3. Data Protection

3.1 Data Encryption

The Surefront web application and backend services use industry-accepted encryption products to protect customer data (1) during transmissions between a customer's network and the Surefront servers; and (2) when at rest. Surefront services support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. We monitor the changing cryptographic landscape closely and work promptly to upgrade our services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need to maintain reasonable compatibility with older clients.

3.2 Data Backup and Recovery

Surefront customer data is stored redundantly in multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures which allow recovery from a major disaster. Customer data and our source code are automatically backed up every 24 hours. Alerts have been set up in the event of a failure in this system. Backups are tested at least every 90 days to confirm that our processes and tools work as expected.

4. Incident Response

4.1 Incident Detection and Reporting

Surefront, and authorized external entities like AWS, Sentry, and Datadog, monitor our services for unauthorized intrusions. Systems used in the provision of our services log information to their respective system log facilities or a centralized logging service (for network systems) in order to enable security reviews and analysis. Surefront maintains an extensive and centralized logging environment in the production environment which contains information pertaining to security, monitoring, availability, access and other metrics about our services.

 

4.2 Incident Response Plan

Surefront maintains incident management policies and procedures. These procedures include notification of impacted customers with undue delay of any unauthorized disclosure of their respective Customer Data by Surefront or its agents of which Surefront becomes aware to the extent permitted by law. With regards to uptime; Since Surefront systems are hosted using AWS, system status typically correlates with the availability shown on the AWS System Status pages. Surefront typically notifies customers of significant system incidents by email, and for incidents lasting more than one hour, may invite impacted customers to join a conference call about the incident.

5. Compliance and Audit

5.1 Regulatory Compliance

To ensure the effectiveness of our security practices and compliance with government regulations within the markets Surefront operates, Surefront undergoes regular security assessments by internal personnel, external security partners, and continuous automated testing of our web services. The results of these assessments are reported to senior management who identify and implement corrective actions to address all weaknesses and compliance variances.

6. Security Awareness and Training

6.1 Employee Training

  • Provide mandatory security training for new hires.
  • Conduct annual refresher training for all employees.
  • Test employees' knowledge through simulated phishing attacks.

6.2 Third-Party Training

  • Provide security guidelines to third-party vendors.
  • Include security requirements in contracts
  • Audit third-party compliance annually.

7. Physical Security

All of Surefront’s services are provided in the cloud via Amazon Web Services. All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.Surefront does not operate our own routers, load balancers, DNS servers or physical servers. All of our services and data are hosted in AWS facilities and are secured as described by aws.amazon.com/compliance/shared-responsibility-model/ 

8. Network Security and Firewalls

In addition to sophisticated system monitoring and logging, Surefront maintains two-factor authentication for server access across our production environment. Firewalls are configured according to industry best practices, using AWS virtual private subnets and security groups.

9. Application Security and Vulnerability Management

To verify that our security practices are sound and to monitor our services for new vulnerabilities, Surefront services undergo a series of well architected assessments provided by AWS and overseen by our development and operations team. In addition to periodic and targeted audits of our services and features, we also employ the use of mandatory peer code reviews and continuous hybrid automated scanning of our web application and backend source code.

10. Business Continuity and Disaster Recovery

We understand that you rely on Surefront to work. We’re committed to making our services and platform highly available so that you can rely on us. Our infrastructure runs on systems that are fault-tolerant, for failures of individual services or entire servers. Our operations team tests disaster recovery measures regularly and has a dedicated team to quickly resolve unexpected incidents. Industry standard best practices for reliability and back-up helped shape the architecture of our platform. Surefront performs regular backups, facilitates rollbacks of software and system changes when necessary and replication of data as needed. Where possible, Surefront will assist the Customer with data recovery for Major Catastrophic Events, as limited by data residency requirements of the locality and capabilities within the region. “Major Catastrophic Event” means three broad types of occurrences: (1) natural events such as floods, hurricanes, tornadoes, earthquakes, and epidemic; (2) technological events such as failures of systems and structures such as pipeline explosions, transportation accidents, utility disruptions, dam failures, and accidental hazardous material releases; and (3) human-caused events such as active assailant attacks, chemical or biological attacks, cyber attacks against data or infrastructure, and sabotage. A Major Catastrophic Event does not include bugs, operational issues, or other common software related errors.

 

Contact Us

If you have any questions about this Privacy Policy, the practices of our Services, or your dealings with our Services, please contact us at: support@surefront.com

Sure Market LLC
support@surefront.com
Last updated: January 2024

Surefront Favicon 300175
Powering Retailers and Suppliers in One MerchandisingOps System

Solutions
Product Development
Wholesale CRM
Merchandising Operations
Product Lifecycle Management (PLM)
Product Information Management (PIM)

Use Cases
Catalog Management
Line Sheets
Tech Pack Generator
Configure Price Quote (CPQ)
Order Management System (OMS)
Vendor Management
Workflow Automation

Industries
Apparel & Fashion
Luxury Goods & Jewelry
Furniture
Consumer Goods
Sporting Goods
Consumer Electronics
Consumer Services
Wholesale
Textiles
Import/Export

Resources
Video Resources
Surefront Blog
Glossary
Books & Guides
ROI Calculator
Support
Security Policy
Terms of Service
System Health Dashboard

Company
About Us
Patents & Awards
Press and News
Careers
Contact Us

 

Get in Touch!
info@surefront.com