As a cloud solutions provider for over 20 years, we guarantee world-class security for our customers
CatalystOne hosts service data in Microsoft Azure data centers that
have been certified as ISO 27001, PCI DSS service level 1 and/or
Soc 2 compliant.
Learn more about Azure Data Centers here.
Azure infrastructure services include backup power, HVAC
systems, and fire suppression equipment to help protect servers and
ultimately your data.
Learn more about data center controls here.
Azure on-site security includes features like security guards, fencing, security feeds, intrusion detection technology, and other security measures.
Learn more about Azure physical security.
Data Hosting Locations
CatalystOne uses Azure Data centers in Ireland and Netherlands.
Our Security Team is on call 24/7 to respond to security alerts and events.
Our network is protected through the use of Azure Security Services including Azure Defender for Cloud, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Network security scanning provides us with deep insight for quick identification of noncompliance / suspicious behaviors and potentially vulnerable systems.
In addition to our extensive internal scanning and testing programme, CatalystOne not only conducts continuous internal penetration tests, but also employs third-party security experts to perform a broad penetration test of the CatalystOne application on an annual basis +.
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
With the use of world class security tools, we are able to detect and prevent intrusion attempts automatically. Alerts are sent automatically to the Security and Operations Team who analyze and remediate where necessary. These tools include 24/7 monitoring and alerting.
CatalystOne works proactively against threats to privacy and security, where our inhouse Threat Intelligence Team conducts continuous research and analysis. In addition, CatalystOne receives threat intelligence from several 3rd parties that are relevant to our environment.
CatalystOne has architected a multi-layer approach to DDoS mitigation. A technology partnership with Cloudflare provides network edge defenses, while the use of Azure scaling and protection tools provides deeper protection.
Access to the CatalystOne Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Cloud Delivery Team. Employees accessing the CatalystOne Production Network are required to use multiple factors of authentication.
In case of a system alert, events are escalated to our 24/7 teams providing Cloud Delivery, Application Support, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
All communications with CatalystOne UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and CatalystOne is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
Service Data is Encrypted at rest in Azure using AES-256 key encryption.
CatalystOne maintains a publicly available status.catalystone.com webpage which includes system availability details, scheduled maintenance and releavant security events.
CatalystOne employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime with geo-replication of data allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Our clustered architecture ensures a high level of service availability, utilizing multiple data centers to deliver the service to our customers. Data is geo-replicated between geographical locations, and infrastructure can be deployed quickly if necessary. The CatalystOne Disaster Recovery process is verified yearly.
We believe that a good security culture is paramount to a secure organisation. The CatalystOne Security Strategy states how security is every employee's responsibility, with guidance and support from the Security Team. We believe that excellent security is the result of not only highly skilled IT security professionals but also a strong security culture within the organisation.
To create such a strong security culture, we have created a Security Awareness Programme with its main objective to continuously educate, support, and guide our employees about possible threats and risks when it comes to Information Security. This is something we’re passionate about because we firmly believe that our employees are part of a joint effort of keeping CatalystOne secure.
In CatalystOne we have a team dedicated to security awareness, training, and communication. This choice is based on our belief that knowledge about information security is something that is of concern to every single employee.
CatalystOne conducts a thorough Vendor Security Risk Assessment on every vendor, subprocessor and supplier, prior to any utilization.
For any vendors already in use, the Security Team runs an annual audit to ensure that the security controls, contacts, and policies in place are still acceptable.
For any new vendors, a full risk assessment is sent to the vendor's security team to understand their datacenter location, security controls, privacy policies, and internal processes ++.
CatalystOne conducts a thorough annual internal audit based on the following (this list is not exhaustive):
Secure Development (SDLC)
Secure Code Training
Annual secure code training for all engineeers, based on OWASP Top 10 security risks.
Framework Security Controls
CatalystOne leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are logically separated from the production environment. No Service Data is used in our development or test environment.
Dynamic Vulnerability Scanning:
CatalystOne utilize world class third-party security tools to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issue.
Software Composition Analysis
We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed accordingly.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing programme, CatalystOne runs continuous internal penetrations tests and employs third-party security experts to perform a broad penetration test on the CatalystOne application.
CatalystOne has several different authentication methods, native CatalystOne authentication and/or Enterprise SSO (SAML 2.0).
Configurable Password Policy
CatalystOne native authentication allows our customers to define the complexity rules for passwords to support their business rules.
2-Factor Authentication (2FA)
CatalystOne native authentication offers 2FA via email or SMS.
Service Credential Storage
CatalystOne follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.
Role-based Access Control
Access to data within CatalystOne is governed by role-based access control (RBAC) and can be configured to define granular access priveleges, empowering our customers to create user-groups, assign members and permissions to control who sees what and
who is able to perform which tasks.
CatalystOne offers several audit-logs within the application to provide insight into what is happening in the application, examples being logins and configuration changes.
Email Signing (SPF, DKIM/DMARC)
CatalystOne offers SPF, DKIM and DMARC for signing outbound emails from CatalystOne.
CatalystOne tracks the devices used to sign in to each users account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow up if the activity seems suspicious. Suspicious sessions can be terminated through the agent UI.
CatalystOne has developed a comprehensive set of security policies covering a range of topics. These policies are
shared with and made available to all employees and contractors with access to CatalystOne information assets.
CatalystOne performs background checks on all new employees in accordance with local laws
All employees attend a Security Awareness Training, which is given upon hire as part of their onboarding, and continuously throughout the years thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
All new hires are required to sign Non-Disclosure and Confidentiality agreements
GRC within CatalystOne is about defining and specifying the security principles we follow. This includes managing risk to promote the achievement of objectives, and ensuring that we comply with all policies and legal requirements.
In CatalystOne, we work actively with GRC, ensuring that Information Security is at a balanced level within each department in order to reach our objectives.