As a Customer Data Platform software vendor, Nominow is committed in providing highly secure and reliable software. The Nominow SaaS platform is built on the latest technology compliant with a wide variety of industry-accepted security standards.
Data Security is a default mindset in our business and culture for which we practice high standards. During the whole product lifecycle from development to live, all the way through the completion of each project, the security of our customers’ data is one of our top priorities.
Our engineers utilize proven and state-of-the-art security technologies and techniques in order to protect all systems, data, and information from unauthorized access in the best possible way.
This statement explains our security policies and procedures so that our customers can be confident that their data is secure.
Data Protection and GDPR compliance in the EU
The General Data Protection Regulation (GDPR) is effective of 25 may 2018.
Nominow is taking the necessary technical and organizational measures to comply with the requirements of the GDPR by its entry into force.
ISO 27001 Certified
Nominow has attained a compliance certification for ISO/IEC 27001:2013, the specification that defines the standard information security management system (ISMS). This security management standard specifies security management best practices and comprehensive security controls.
Policies are approved by senior management, communicated to all affected Personnel to whom the policies apply, and clearly state the consequences of non-compliance. All employees must review and are trained in the Information Security Policy during onboarding.
Our ISO/IEC 27001:2013 certificate is valid from May 2019 till June 2022.
SaaS EU Hosting
All client data is processed and stored at data centers in Europe. The Nominow office network and the Software as a Service (SaaS) network are physically separated. They are in different Europe located data centers and are using different routing to the internet. At the same time, they are also managed by two different teams: The respective teams are the IT Sysadmin team and our SaaS Managed Hosting team. These teams each report to different senior management.
Nominow employs a public cloud deployment model using both physical and virtualized resources for our SaaS solution. All maintenance and configuration activities are conducted by Nominow and Managed Hosting employees.
The Nominow SaaS Solution is a multi-tenant architecture with logical access controls using authentication and roles ensure the necessary separation between data from different clients.
The architecture provides an effective logical data separation for different customers via data handling by customer-specific unique identifiers and customer specific data storage. Additional data segregation is ensured by providing separate environments for different functions, especially for testing and production.
All infrastructure responsibilities rest with Nominow, and clients are provided with functionality to manage their own users and roles at the application level.
Nominow follows guidance from the ISO27001:2013 standard. Additionally, we adapt to industry standard practices in operating highly secure SaaS solutions for security controls such as firewalls, intrusion detection, change management and written security policies.
- All traffic from and to our service is encrypted using the SSL/TLS protocol.
- We enforce the usage of strong TLS cipher suites.
- Data communication with(in) our infrastructure is transmitted via encrypted VPNs.
- All systems are firewalled to a minimal number of access points.
- Unique user identifiers allow customers to assign unique credentials for their users and assign and manage associated permissions and entitlements.
- Customers have the option to manage their application users, and assign or define roles, or apply permissions and rights, within their implementation of the Nominow.
- We enforce a strong password policy.
- Passwords are stored hashed and salted.
- Access to an account is logged, tracked, and audited.
- Brute-force attempts are automatically prevented.
- All operating systems are maintained according to best practices in the industry.
- All recommended patch levels are applied.
- Unnecessary users, services, and components are disabled.
- All systems are constantly monitored.
Secure Data Storage
- Data is stored on virtualized servers in our infrastructure.
- Source code is stored secure within our own firewalled and VPN infrastructure.
- Code analysis is performed with an isolated and virtual instance that is destroyed after analysis.