Security at Fracttal

At Fracttal, we take our customers' data security very seriously, and we take pride in implementing best practices when it comes to protecting your company's information.
Fracttal Security Program
Fracttal’s security program is based on the concept of in depth defence to ensure our organization and the data of our clients are protected at all times. Our security program is aligned with ISO 27000 and is constantly evolving with new industry practices and audited annually.
 
The goal of our security program is to prevent unauthorized access and protect the data of our users. To this end, our team takes comprehensive measures to identify and mitigate risks, implement best practices and constantly develop ways to improve.
 
Furthermore our highly secure cloud foundation is managed by Microsoft using multi-layered, built-in security controls and unique threat intelligence from Azure to help identify and protect against rapidly evolving threats. Azure is the most comprehensive, industry leading cloud security provider with over 70 compliance certifications
Some of our security features
Proactive Protection

Fracttal has more than 10 years of combined experience providing the highest level of web application security. With FRACTTAL, you benefit from our depth of experience coupled with advanced security technology, including Application Firewalls, to categorically deliver safe web applications free from malicious attacks.

Encryption
Data in Transit

All the data transmitted between our clients and the Fracttal service are made using solid encryption protocols. Fracttal is compatible with the latest secure encryption technologies recommended to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption and SHA2 signatures. Even in coffee shops, airports and other places with public WiFi connections, Fracttal passwords cannot be stolen. Users can open the application or make use of the platform with complete confidence, even in public places and through WiFi or mobile network connections.

Idle Data

The idle data in the Fracttal production network is encrypted using encryption standards compatible with FIPS 140-2, which applies to all types of data at rest: relational databases, file stores, backup copies of databases, etc. All encryption keys are stored securely in a segregated network with very limited access. In Fracttal we have implemented adequate security measures to protect the creation, storage, recovery and destruction of confidential information, such as encryption keys and account credentials.

The data of each client is hosted in our shared infrastructure and logically separated from the data of other clients. We use a combination of technologies to ensure that customer data is protected against hardware failures and is returned quickly when requested. The Fracttal service is hosted in data centers managed by Microsoft, which offer state-of-the-art physical protection for the servers and infrastructure that make up the operating environment.

company logo fedramp
FedRAMP

(Li-SaaS)

Federal Risk and Authorization Management Program

company logo NIST
NIST 800-171

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

company logo AICPA SOC 2
SOC 2

(Type II)
Trust Services Principles

company logo AICPA SOC 3
SOC 3

(Li-SaaS)
Federal Risk and Authorization Management Program

 company logo ISO/IEC 27001
ISO/IEC 27001

Information Security Management System (ISMS)

company logo ISO/IEC 27017
ISO/IEC 27017

Security Controls for the Provision and Use of Cloud Services

company logo ISO/IEC 27018
ISO/IEC 27018

Protection of Personally Identifiable Information (PII)

company logo HIPAA
HIPAA

Health Insurance Portability and Accountability Act

company logo EU/US Privacy Shield
EU/US Privacy ShieldSwiss/US Privacy Shield

Data Privacy Practices

company logo Cloud Security Alliance
CSA

Cloud Security Alliance

More on how Microsoft Azure™ ensures data is protected at all times

All Microsoft Azure data centers used by Fracttal are protected in accordance with SAS 70 Type II (which includes access to physical storage media based on biometric data and maximum protection against intrusion) and comply with the safeguard standard. Authentication data sent to the client's machine can be encrypted using JavaScript and an RSA key. In addition, the OTP (one-time password) technology can be coupled in combination with an e-Token. The transfer of data for all users is done through an encrypted SSL connection (with a 256-bit key).

The Microsoft Azure platform applies DDoS mitigation mechanisms to maintain performance and availability with the ability to combat the biggest and new attacks. Our Rate Limiting protocol protects against denial-of-service attacks, brute-force initiation attempts, and other types of abusive behavior directed at the application layer. The 15 Tbps unlimited global broadcast network through Microsoft Azure is 15 times larger than the largest DDoS attack ever recorded.
Content Delivery Network (CDN)

With 180 data centers in 76 countries, our provider's content delivery network or CDN caches static content at the end, reducing latency by delivering resources as close as possible geographically to our users. It also absorbs distributed attack traffic by geographically dispersing it, while keeping Internet properties available and running.

DNS

Our security provider is the fastest managed DNS provider in the world, routing more than 38% of global DNS traffic.

Web Application Firewall (WAF)
The enterprise-class web application firewall (WAF) detects and blocks common vulnerabilities in the application layer at the edge of the network, using the OWASP Top 10, custom and application-specific rule sets.
Optimization
Our security includes a set of optimizations to improve the performance of Internet resources. The optimizations include the latest web standards, such as HTTP / 2 and TLS 1.3, as well as particular improvements for images and users accessing the platform through mobile devices.
DNSSEC
Additionally DNSSEC is the non-falsifiable call identifier of the Internet that Fracttal uses, thereby guaranteeing that the traffic of our web application is routed securely to the correct servers so that visitors to the site are not intercepted by a hidden intermediary attacker.
SSL/TLS
The transport layer security encryption (TLS) enables HTTPS connections between our users and the origin servers, avoiding attacks of intermediaries, packet tracking, display of trusted warnings of the web browser and more.
Application Level Security
Proactive Fracttal protection blocks web attacks that try to use application vulnerabilities. The intentional users do not have any possibility of loading malicious codes. The web application complies with WAFEC 1.0 standards. and access to Fracttal is provided to users (companies) in complete isolation from other users with passwords encrypted by double encryption. The enterprise-class web application firewall (WAF) detects and blocks common vulnerabilities in the application layer at the edge of the network, using the OWASP Top 10, custom and application-specific rule sets
Access Control
Provisioning
To minimize the risk of data exposure, we adhere to the principles of minimum privileges and role-based permissions when providing access; The members of our team are only authorized to access data that they must reasonably handle in order to fulfill their work responsibilities. All production accesses are reviewed at least quarterly.
Authentication
To reduce the risk of unauthorized access to data, we use multi-factor authentication for all access to systems with highly classified data, including our production environment, which houses the data of our customers.
Password Management
All members of our team use an approved password manager. Password managers generate, store and enter unique and complex passwords to avoid password reuse, phishing and other risks related to the password.
Available 24/7

Fracttal uses the state-of-the-art, Microsoft Azure™ data centers and clustering technology to ensure that service connectivity and data access is at maximum availability and performance at all times.

Data Retention and Deletion
The customer data is deleted immediately after the end user removes them from the system. Our Microsoft Azure™ service provider is responsible for ensuring that the data is removed from the disks in a responsible manner before being reused.
Disaster Recovery Plan and Business Continuity

Fracttal, uses the state of the art in independent data centers and clustering technology, to ensure maximum availability and service performance. Your information always available, from anywhere.

We use the services implemented by our Microsoft Azure™ service provider to distribute production operations in several separate physical locations. These locations are located within different geographic regions, but protect the Fracttal service from loss of connectivity, power infrastructure and other common location-specific failures.

Production transactions are replicated in these operating environments to protect service availability in the event of a catastrophic event specific to that location. We also maintain a complete backup of the production data at a remote location that is significantly away from the location of the main operating environment. Full backups are stored at this remote location at least once a week and transactions are kept continuously. We test the backup copies at least quarterly to ensure that they can be restored successfully.
Responding to security incidents
We have established policies and procedures to respond to possible security incidents. All security incidents are managed by our dedicated detection and response team. In case of an incident, affected customers will be informed via email from our Customer Success team.
External Validation
Security compliance audits
We are continuously monitoring, auditing and improving the design and operational effectiveness of our security controls. These activities are carried out regularly with third parties and the internal compliance and risk team.
Penetration tests
In addition to our compliance audits, we hire independent entities to perform penetration tests at the application and infrastructure level at least once a year.
The results of these external validations are shared with top management and all the findings are tracked for their resolution in a timely manner.

Sign up for a free tour today and see how Fracttal can help your organization

Try it today