Information Security Practices and Procedures

Information security is at the heart of Semantic Web Company (SWC). This is reflected in our organizational structure, security policies and processes as well as in the fact that we are ISO 27001:2013 certified. The ongoing certification process includes regular and independent audits by third-party organizations. Employees of the company follow special security rules for the workplace, which include a reporting obligation for security incidents. Mandatory security trainings are organized for all employees.

SWC protects its infrastructure by establishing a dedicated disaster recovery and business continuity plan, backing up all company data, logging and monitoring all relevant events and actively preventing unauthorized access.

All system and network environments at SWC are protected by the next-generation firewalls to ensure business and customer security. SWC leverages host-based intrusion detection/prevention systems (HIDS/HIPS). All hosts are scanned every 24 hours for file changes to alert on intrusion attempts and logs are monitored for out-of-band changes to the database.

PoolParty can be licensed as an on-premise installation or as a cloud service. The majority of our company servers run in the ISO 9001:2008 and ISO 27001:2005 certified DATASIX data center located in Vienna, Austria. The data center has multiple redundant power supplies and the highest level of fire and water protection as well as state-of-the-art access control. The access to the company servers in data centers is restricted through biometric access controls and the data centers are under permanent video surveillance.

SWC cares for secure development of its software. It follows industry best practices for secure dependency management, source code management, vulnerability management, management of data in transit and at rest and secure software design and development. The source code is stored in well-secured Git repositories with write access restricted to the development team. The JavaScript source code is protected with minification and kept private.

PoolParty follows the industry best practices to only expose data needed for the particular purpose at hand and to store sensitive data in memory or unencrypted as long as necessary. Any sensitive data that is exposed to the outside is always encrypted (or hashed, in case of passwords) with state-of-the-art cryptographic tools based on strong standard algorithms, such as PBKDF2 for hashing passwords or AES with a configurable key size for handling third-party credentials.

PoolParty provides various ways to authenticate users. The default authentication method for the user interface is password-based verification. Administrators can configure a strong password policy. Customers can also leverage their existing access management infrastructure and configure single sign-on. Social login and multi-factor authentication (MFA) come out of the box. Token-based authentication (OAuth 2.0) is implemented for all PoolParty APIs except from UnifiedViews.