Security
Tekion’s products are built
with security at their core.
Data Storage Site Security
The sites where your data is stored, including data centers, offices, and off-site storage facilities, will have appropriate and physical security controls.
These measures include:
- Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
- Tekion maintains a business continuity and disaster recovery program to ensure services remain available or are easily recoverable in the case of a disaster. These plans are tested and reviewed at least annually.
Network Security
The networks on which your data will be transmitted will be protected from unauthorized access or infiltration, either internally or externally.
The measures that will be taken to ensure this includes:
- Running periodic external and internal vulnerability scanning and informing the relevant data exporter of any issues.
- Maintaining perimeter defenses such as firewalls and data loss prevention solutions.
- Maintaining internal defenses such as security information event management to analyze log files to identify anomalous behavior and other threats.
Platform Security
The technology on which your data is stored, including servers, workstations and laptops, cloud service and other portable media will be protected from known threats by:
The measures that will be taken to ensure this will include:
- Ensuring anti-virus or anti-malware systems are implemented and kept current for all operating systems.
- Ensuring operating systems have secure configuration.
- Maintaining internal defenses such as security information event management to analyze log files to identify anomalous behavior and other threats.
Data Confidentiality
The confidentiality of your data will be maintained by protecting such data wherever it is stored, and whenever it is transmitted.
These processes and procedures may include:
- The secure disposal of paper, equipment, media and data.
- The security of data in transmission by means of encryption.
Data Access
Your data will be accessed only by Tekion authorized personnel through such means as:
- The use of unique usernames and passwords to access the IT systems that host your data, including use of multiple factors of authentication to access IT systems remotely.
- Implementing security policies to ensure that passwords are not shared and that systems' passwords are changed periodically in line with recommended best practice.
- Ensuring access to your data is authorized and approved.
- Ensuring there is a clear segregation of duties between users.
- Ensuring access is granted on a least privilege basis.
- Terminating access where appropriate.
Data Processing
We will ensure that appropriate aspects of good security practice are enforced when processing any of your data.
These processes include:
- Maintaining and enforcing policies on the secure handling and care of data, and taking steps to ensure that such policies are known to all Tekion employees through awareness training.
- Ensuring that developers are trained and kept up to date in security coding techniques.
Staff and 3rd Party Security Procedures
We will ensure and maintain the integrity of personnel accessing your data by:
- Assessing the reliability of Tekion employees who will have access to personal data.
- Maintaining and enforcing policies on the secure handling and care of data, and taking steps to ensure that such policies are known to all Tekion employees.
- Having employees and contractors sign confidentiality agreements prior to accessing your data.
- Reviewing any sub-processors which We will use, to ensure appropriate security measures are in place.
- Ensuring any third party adheres to the minimum set of controls prescribed by Our information security policies.
Third party subcontractors will be bound to technical and organizational measures that are at least as rigorous as the measures that We commit to You. We continuously review these measures and update them as needed to keep in line with industry standards. If requested, We will provide You with a description of our current measures.
Data Breach Procedures
We have established a set of data breach security procedures that include the following elements:
- Detection: Establishing the facts of the incident and creating a diagnostic, containment and communications plan with respect to those whose data has been affected.
- Containment: Limiting the extent of the data compromise.
- Eradication: Removing all aspects of the hostile code/configuration, if applicable.
- Recovery: Restoring data and system to a known good state, without vulnerability.
- Review: Assessment of how to avoid similar incidents in future.
- Notification: Informing relevant interested parties of the data breach within legal and industry acceptable obligations and timeframes.
Availability and continuity
System availability is our top priority. To that end, we maintain multiple geographically diverse data centers and have implemented robust disaster recovery and business continuity programs. For more information on our service levels, please see Our Service Level Agreement.
Security built upon a strong foundation
As an end-to-end cloud native platform, our products and services leverage the state-of-the-art security provided by Azure and AWS to keep your data and our products secure.
Click the following links for more information on how Azure and AWS secure your information in their data centers.
Frequently Asked Questions
Does Tekion have any internal policies regarding data privacy and information security?
Tekion has formal policies and procedures addressing how we develop, implement, maintain, and improve our robust information security program. We also have several internal policies governing how our employees and contractors access, store, and secure customer data. These policies follow a similar format, have dedicated owners, and committed review periods. The policies cover a variety of topics ranging from securing our employees’ assets to responding to security incidents.
Who has access to our data?
Access to your data is generally limited to the following recipients: (1) our employees and contractors who require access to develop our products and services and to provide you with customer support (including employees of Tekion entities); (2) third-parties that you authorize us to share data with (e.g., third-party integrations that you use in your business); (3) third-party partners, including our sub-processors, that we use to develop and support our products and services (e.g., our cloud service providers and OEMs). In some limited circumstances, we may also need to share your data with third-parties for legal purposes (e.g., in connection with a legal action or for tax purposes). However, in all instances, we share only the data that is necessary to fulfill the above purposes. For more information about how we use and share data, please see our privacy policy.
Additionally, our products have audit trails to give customers visibility over access to their data in Tekion’s systems, including their employees and third-party vendors. Please contact your solutions specialist for more information on obtaining this information.
Have you undergone any industry recognized security audits such as ISO 27001 or SOC? If so, what is the date of the most recent audit?
Tekion is SOC 2 Type 2 and SOC 1 Type 2 compliant. SOC 2 Type 2 compliance is an internal controls report describing how companies safeguard customer data and how well those controls operate. SOC 1 Type 2 compliance is an internal controls report that allows our customers to assess how Tekion’s controls impact their controls for financial reporting. Both our SOC 1 and SOC 2 reports are issued by an independent third-party accredited auditor. Please contact us at privacy@tekion.com to obtain our latest reports.
Tekion is also pursuing an ISO 27001 certification, which is the leading international standard to help organizations protect their and their customers’ information. We expect to have this certification by Q2 2023.
Do you have an appointed information security officer?
Yes – please contact privacy@tekion.com for more information.
Have you performed an information security risk assessment within the last year?
Yes, Tekion conducts security risk assessments on an ongoing basis before every major release. Additionally, Tekion uses a third-party information security firm to conduct penetration tests on its systems containing customer data. The most recent vulnerability test is in October 2022.
Is data stored on Tekion’s products encrypted?
We use high standards of encryption slammed to secure our customer data at rest and in transit. And as an entirely cloud-based platform, our customers’ data is further secured by the state-of-the-art measures used by our cloud providers, Amazon Web Service and Microsoft Azure. To learn more about our security practices, please see our security measures page.
Does Tekion use multi-factor authentication?
Yes. Multi-factor authentication (MFA) is one of several tools that we use to secure data in our products and our internal systems. Authorized Tekion employees and contractors may only access Tekion systems and databases holding customer data through MFA. On the product side, MFA is enabled by default.
Do you have a formal disaster recovery/business continuity plan?
Yes, Tekion has a detailed disaster recovery and business continuity plan to ensure that we recover operations quickly and efficiently in case of a disaster. This includes deploying our platform across multiple data centers with replication and implementing strict recovery deadlines to ensure our systems are running again as soon as possible.
Do you conduct information security training for your workforce?
We provide formal information security training to all employees during their onboarding process and follow up with regular information security refresher trainings at least annually. We also utilize social engineering and phishing simulations to ensure that our employees recognize tactics used by hackers.
Do you have a vulnerability management, penetration testing or bug bounty programs? If so, which apply?
Yes, Tekion has a vulnerability management program. We also regularly conduct vulnerability assessment and penetration testing (VA/PT) as well. While we do not have a formal bug bounty program, we promptly investigate any reported security flaws and risks and address them as quickly as possible. To report a potential security risk, please contact security@tekion.com.
Does Tekion have a formal incident response plan?
Yes, our incident response plan sets forth internal guidelines for detecting incidents, escalating to security personnel, communication, investigation, mitigation, and root cause analysis. You can find the details in our Data Processing Addendum.
Does Tekion screen its employees?
Yes, we work with third-party agencies to screen all of our employees prior to joining Tekion. Where permitted by law, we conduct credit and criminal checks as well.
Does Tekion have a process to audit its data protection and security procedures?
Yes. We perform comprehensive security evaluations as part of our annual compliance audits, which involve an independent assessment by external audit firm(s). Additionally, we perform operational audits in high-risk areas of our business.
Do you monitor third-party vendors to ensure they comply with your security standards?
Yes, we have a supplier relationships procedure that ensures that third-party service providers implement required controls under security frameworks like ISO 27001, SOC 1, SOC 2, and PCI DSS.
Are all Tekion employees and contractors required to sign a non-disclosure agreement?
Yes, all new Tekion hires and contractors sign confidentiality agreements preventing misuse and unauthorized disclosure of customer data. Our employees and contractors have the same confidentiality obligations as we do to our customers.
Do you have Service Level Availability Policy (SLA) in place and communicated to the customer?
Yes, Please click here for the Service Level Availability Policy (SLA) and it has been posted on our website (Tekion Home page >> Legal >> Tekion® ARC Service Level Agreement)