Understanding shared responsibility with Business Sense
Business Sense takes responsibility for building products that are
secure, reliable, and robust. While we maintain the
cloud infrastructure, you are responsible for securing your data and the settings
you configure within the Business
Sense applications.
When you use Business Sense, data security and privacy is a shared
responsibility between you and us. Here's a model
that describes the high-level architecture of our cloud environment, which is
Software as a service (SaaS), and the
associated responsibilities.
Customer's Responsibility
- Data accountability
- Passwords
- Client and end point security
- Identify and access management
- Data management
- Managing data to other parties
- Encryption
- Backups
- Incident management
- Awareness and training
- Policy and compliance
- Data security
- Availability
- Business continuity
- Network controls
- Host infrastructure
- Physical security
We have put together this guide to help you understand what Business Sense
does to keep your account safe, what you can
do to secure your data, and how we can work together to achieve a safe cloud
environment.
Customer's responsibility
Let's look at how you are responsible for protecting your data in the cloud
and the security of your devices.
You are responsible for
- The data you share and receive over the cloud. You decide whom you share it with,
the period, and the means of sharing.
- Ensuring the privacy of data you handle using Business Sense services, to ensure
that you do not accidentally or
willingly make any private content publicly available.
- Maintaining the accuracy of the data that you process in your system.
- Ensuring that your Business Sense service account is not used by you or others on
your behalf for spamming or illegal
activities, that Business Sense's services are only used for their intended
purposes.
You are responsible for creating a strong password and safeguarding it when
you use it to log in and access the cloud.
Client and end-point security
- The compromise of one of your endpoints (whether your laptop, desktop, or smart
phone) will render all other controls
ineffective.
- You are responsible for your end-point security and are expected to keep your
browser services, mobile OS, and mobile
applications updated to the latest version and patched against vulnerabilities.
Responsibility of control that will apply to both you and Business Sense.
Identity and access management
We provide infrastructure for managing user accounts through Identity and
Access Management (IAM) service by
facilitating:
- User registration, de-registration options, and specifications on how to use them.
- Functionality for managing access rights of your cloud users.
- Strong authentication techniques such as Multi-Factor Authentication and IP address
restrictions.
You are responsible for:
-
Implementing strong user access management controls.
-
Configuring strong passwords based on the organization's policy and protecting them.
-
Enabling Multi-Factor Authentication for your organization's users.
- Administering user accounts and privileges—configuring user roles according to the
principal of least privilege.
- Defining the administrator(s) of the organization's account and having a proper
process
for ownership transfers. Taking
necessary steps to ensure that your organization does not lose control of its
administrator accounts.
- Periodically reviewing the list of users with access to data and removing access for
anyone who should not have it.
- Frequently reviewing devices linked to the organization's user accounts and removing
unused or unauthorized devices.
-
Monitoring your organization's user accounts for malicious access or usage.
-
Notifying Business Sense of any unauthorized use of your organization’s accounts.
- Educating your users on the importance of good password management, the risks on
credential reuse, social logins, and
phishing attacks.
We provide a platform for you to manage your data with:
-
Data sharing features for administrator and user-level controls.
- Audit features on customer data to provide transparency on important activities and
to
track changes.
- Data interoperability—the option to take a complete backup of data and
configurations to
migrate all or a part of your
data to another SaaS provider.
- Data retention and disposal—we hold the data in your account as long as you choose
to
use Business Sense Services. Once
you terminate your Business Sense user account, your data will get deleted from the
active database during the next
cleanup that occurs once every six months. The data deleted from the active database
will be deleted from backups after
three months.
- Access limitations features to limit employees from accessing customer data and
ensure
that they can only do so if there
is a specific reason.
- Due diligence while processing information belonging to special categories (for
example,
personal/sensitive data) by
applying appropriate controls to comply with the requirements of applicable
legislation.
-
Configuring proper sharing and viewing permissions.
-
Regularly reviewing audit reports to identify any suspicious activity.
-
Maintaining up-to-date contact information with Business Sense.
- Taking your data out of the system once you stop using our services. Otherwise it
will
be
subjected to permanent
deletion without any scope for recovery.
Managing data to other parties
We work towards having secure integrations and extensions to our
applications by:
- Marketplace applications: Performing functional testing, security testing, and
privacy testing once an application is
submitted to us. We also perform product review and content review.
- Sub-processors: Evaluating the security and privacy practices of sub-processors whom
we wish to contract to ensure that
they are in line with Business Sense's information security and privacy standards.
We then execute appropriate data
protection agreements with them.
- We review the privacy policy and terms of service of our vendors and ensure that
their
operations stick to it.
We expect you to:
- Enable or disable third-party integrations after taking into consideration the data
that
gets shared to third-party
environments. You must review the terms and the privacy policy of the third-party
service regarding the collection, use,
or disclosure of data.
- Mark your preference on whether you would like to share your details with vendors
every
time an extension is installed.
- Assess the suitability of the Marketplace Apps and the reasonableness of the
requested
permissions prior to
installation.
-
Notify Business Sense of any malicious behavior identified in the Marketplace Apps.
We are accountable for:
- Providing features that enable customers to cater to and protect the rights of your
customers.
- Notifying you of requests from your customers when they contact us directly for
exercising their rights.
- Honor and handle requests from customers for data access, rectification, deletion,
and restrictions in processing of
their personal information.
We safeguard your data using encryption at transit and at rest in the
following ways:
- Data in transit: Customer data transmitted to our servers over public networks is
protected using strong encryption
protocols. We mandate all connections to our servers use Transport Layer Security
(TLS 1.2/1.3) encryption with strong
ciphers for all connections including web access, API access, our mobile apps, and
IMAP/POP/SMTP access.
- Data at rest: Sensitive customer data is encrypted at rest using Advanced Encryption
Standard (AES) 256-bit algorithm.
The data that is encrypted at rest varies with the services you opt for. We own and
maintain the keys using our in-house
Key Management Service(KMS).
We suggest you to:
- Determine your encryption needs. For data at rest, in many instances while using
our services, you may be responsible
for defining which of the fields need to be encrypted.
- When the data from our cloud is downloaded or exported into your environment or
synced
within integrations in Business
Sense or with any other third-party integration, you need to ensure that relevant
encryption controls are applied. For
example, enable disk encryption on your devices and use the export feature with
password
protection enabled, etc.
We are equipped with a robust system to:
- Maintain system-level backups encrypted with AES-256 bit algorithm and stored
securely.
Automatically run integrity and
validation checks of the full backups.
- Enable requests for data restoration and provide secure access to it within the
retention period. Provide customers a
feature to export and take a backup of their data.
From your end, you can:
- Schedule a backup for your data, export it from its respective Business Sense
services, and store it locally in your
infrastructure, if necessary. You are responsible for storing it in a secure manner.
From our side, we ensure to:
- Report all incidents of breach that we are aware of and that applies to you along
with
impact details and suitable
actions. For incidents specific to an individual user or an organization, we will
notify
the concerned party through
email registered with us.
- Track such incidents and close them.
- Implement controls to prevent recurrence of similar incidents.
- If requested, we will provide additional evidence related to the incident that
applies to you.
From our side, we ensure to:
-
Take actions suggested by Business Sense in case of a breach.
- Meet your data breach disclosure and notification requirements, such as notifying
your
end users and data protection
authorities when relevant.
-
Report security and privacy incidents that you are aware of to incidents@misscrm.in.
We take complete responsibility for:
-
Training our employees to be security-conscious and to adhere to a secure
development standard. Newly hired employees
take part in mandatory security and privacy training in addition to receiving
regular security awareness training via
informational emails, presentations, and resources available on our intranet.
- Training our employees on appropriate handling of cloud service customer data.
You are responsible for training cloud users on:
- Standards and procedures for the use of our services.
- How the risks related to our services are managed.
- Risks on the general system and the network environment.
- Applicable legal and regulatory considerations.
We adhere to set of guidelines, such as:
- We have a comprehensive risk management program in place and effectively implement
the controls.
- We operate within the law of various jurisdictions where we operate from.
- We provide evidence of compliance with applicable legislations and based on our
contractual requirements.
- We will assist in DPIA assessments of our customers to the extent allowed by the
applicable laws.
We expect you to:
- Evaluate regulations and laws that are applicable to you and to review our
compliance
with regulations and standards
that are needed for your business. You can request for additional information to
serve
as evidence of our compliance.
-
Understand our policies, our policy assessment methods, and how we process data.
- Conduct DPIA as required by the data protection laws applicable to your organisation
before / while processing data
- Before you process any personal/sensitive data, assess your lawful basis. In case
your
lawful basis is consent, ensure
you obtain the consent from your customers.
- Assess the suitability of our cloud-based services based on the information we
provide
and ensure it is sufficient to
meet your compliance needs.
- Understand the risk profile and sensitivity of the data hosted in the Zoho services
and
apply appropriate controls.
Business Sense's responsibility
We are responsible for the protection 'of' the cloud and related
controls that run all Business Sense services.
Data security
- We are responsible for the isolation of your data stored with us. Each
customer's
service data is logically separated
from other customers' data using a set of secure protocols in the framework.
- We are responsible for the confidentiality of your data stored with us at rest,
in
transmission, and during processing.
- We are responsible for the integrity of both your data and system data such as
logs
and configuration data.
- We are responsible for traceability and control of your data, such that at any
given
time, the physical location and
processing of data can be known.
- We are responsible for ensuring that our services are available as per our uptime
SLA of 99.9% by handling
hardware/software failures and threats like denial of service attacks.
-
As a customer, you can visit status.misscrm.in at any time to view the current site
status, as well as past disruptions.
Business continuity
- We are responsible for having a business continuity plan in place for our major
operations such as support and
infrastructure management.
- We will ensure that the application data stored on resilient storage is
replicated across data centers. Data in the
primary DC is replicated in the secondary in near real-time, and we can switch
to the secondary in case of any disaster.
We are responsible for operating a secure production network. We use
firewalls to prevent our network from unauthorized
access and undesirable traffic. Access to production networks is strictly controlled.
We are responsible for protecting and securing the host infrastructure. All
servers provisioned in the production
network are hardened according to the standards. OS patch management, baseline
configuration, and Host intrusion
detection technologies are adopted to maintain a secure infrastructure.
We are responsible to ensure that our infrastructure is protected from
unauthorized physical access, intrusion, and
disasters.
The shared responsibility model for cloud security provides clarity on
security expectations for cloud users and cloud
service providers. However, an understanding of the expectation is just the first step.
Users must take action on these
responsibilities by creating policies and procedures for their portion of cloud
security. Business Sense will continue
to work hard to keep your data secure—like we always have—and will strive to work
towards a secure cloud environment.
For any further queries on this topic, feel free to contact us at
security@misscrm.in