Wavo Analytics Platform - Security
Updated March 29th, 2024.
Introduction
Wavo is committed to the security of its Customers’ Data. Wavo’s information security system makes use of a variety of industry-standard and state of the art security technologies and procedures to help preserve the confidentiality, integrity and availability of our customers’ information. Wavo employs a public cloud deployment model using both physical and virtualized resources for its Analytics offering (the “Platform”). Wavo employs industry-standard practices such as firewalls, change management and written security policies for security protocols.
ISO 27001 Certification
Proudly, Wavo has achieved ISO 27001 certification (June, 2021), a testament to our unwavering commitment to information security. This certification is the international benchmark for information security management and demonstrates Wavo's dedication to implementing the highest standards of data security and risk management. Achieving ISO 27001 certification involves a rigorous and comprehensive process of systematic evaluation and improvement of our information security practices, including the assessment of IT processes, staff training, and response protocols. This accomplishment reflects our continuous effort to safeguard our customers' data against emerging threats and vulnerabilities, ensuring that our security measures are robust, comprehensive, and aligned with global best practices.
Security Policies
Wavo’s security and access policies, which detail employee responsibilities, Management’s roles, Customer Data confidentiality and siloing, and acceptable use of resources are reviewed and updated at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. Policies are published and communicated to employees and relevant external parties and employees receive appropriate training and regular updates in organizational policies and procedures, as relevant for their job function.
Access Control
To ensure authorized user access and to prevent unauthorized access to systems and services Wavo manages Access Control Policies and Procedures for its Corporate Network and for the Analytics Platform Production Network.
Administrative User Accounts, including network and Database, are mapped directly to employees using unique Personal Identifiers. The access rights of all employees and external party users to information and information processing facilities is removed upon termination of their employment, contract or agreement, or adjusted upon change. Employees are authorized by appropriate accounts, based on the “least privilege” and “need to know” principles.
Security in development and support processes
The Wavo platform infrastructure is managed by a team, whose responsibilities are as follows:
To establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
The enforcement and usage of Industry Best Practices, such as Default Deny Rules for Firewalls, Web Application Firewall (WAF) and Automated Patch Management.
That formal changes to systems within the development lifecycle are controlled by the use of formal change control procedures.
Defining Proper Execution Processes and Continuous Personnel Training.
Operation of Automated Code Deployment and Configuration Management Systems.
Network security
Suspicious activity and errors are continuously scanned for using multiple Network and Application Monitoring Tools. Access is restricted to Platform Operations Personnel, and authentication requires a separate set of Credentials.
Wavo Customers access the Wavo Platform via the public Internet. All Data transfers to and from the Platform take place in accordance with secure protocols.
Data Centers
The Wavo physical infrastructure is hosted on Top Tier Public Cloud Providers that continually manage risks and undergo recurring assessments to ensure compliance with Industry Standards.
Data Backup
Wavo stores all Analytics Platform Customer Data on fully redundant Storage Systems, utilizing a multi-tiered backup approach. All backups are encrypted with 256-bit AES encryption. Daily and intraday Data is backed up on a scheduled basis, in order to separate Storage Devices and Backup Media. Only Wavo Analytics Platform Operations employees have access to Backup Media.
Logging and Monitoring
The Wavo Platform uses an Application Management Solution to monitor systems, trigger alerts, track event logs, and perform Trend Analysis and Risk Assessment.
Technical Vulnerability Management
The Wavo Data Privacy and Security Management Process is designed to prevent the exploitation of technical vulnerabilities without customer interaction or impact. Wavo is notified of vulnerabilities through internal assessments. Vulnerabilities are reviewed to determine whether it is applicable to the Wavo environment, and based on risk is assigned to the appropriate team for resolution.
New systems are deployed with the latest Updates and Security Patches. As Customer Data is stored in isolated environments, it is unaffected by any System Update.
Confidentiality
Ensures that Customer Data is only accessible by authorized Entities. The Wavo Platform provides confidentiality via the following mechanisms:
Identity and Access Management – Ensures that only properly authenticated Entities are allowed access.
Data Isolation and Siloing – Minimizes interaction with Data by keeping containers logically or physically separate. Customer Data is kept isolated throughout the data processing pipeline and in all stored forms. Audits and reviews are in place to ensure that data remains private.
Business Continuity and Disaster Recovery
Wavo’s Business Continuity Planning and Disaster Recovery activities prioritize critical functions that support the delivery of its services to its Customers. The development and scope of the BCP and DR within each Business Function reflect the importance of each function and/or facility to maximize the effectiveness of these efforts.
Wavo takes advantage of its Platform’s distributed architecture to exercise critical Disaster Recovery aspects routinely, whenever significant organizational or environmental changes are needed. Other, less critical aspects, such as events affecting Data Storage, are tested regularly as well. Disaster Recovery Failover Tests are performed semi-annually.