SECURITY

ITBM uses world leading security solutions to ensure that our service and your data is safe, always.

At ITBM we protect the information of our customers from all over the world with absolute transparency and support at all times.

General description

ITBM manages the information of more than 10,000 organizations worldwide. We understand that customers expect us to protect their data to the highest standards and we are committed to delivering a secure and reliable environment. The security model and controls are based on international standards and industry best practices such as ISO 27001 and OWASP Top 10.

How do we protect your data?

Our systems are hosted across multiple Availability Zones on the Google Cloud Platform. This allows us to deliver a reliable service and that your data is available whenever you need it.

Data centers use the latest physical and environmental security measures to achieve a highly resilient infrastructure. For more information on security practices, see:

GCP security page

Application security

ITBM in the CulturalGo family of products implements a security-oriented design in several layers, one of which is the application layer. The application is developed according to the OWASP Top 10 framework and the code is fully reviewed before deployment to production.

The CI/CD controlled process includes static code analysis, vulnerability assessment, end-to-end testing, unit testing that addresses authorization issues, and more. ITBM developers have regular security training to stay up to date with best practices for secure development.

Infrastructure security

Another layer of security is infrastructure. As we said, the CulturalGo family of products are hosted on GPC. In addition, the infrastructure is protected with multiple layers of defense mechanisms, such as the following:

  • Firewalls for enforcement of IP whitelisting and access only through allowed ports for network resources.
  • A web application firewall (WAF) for blocking dynamic content-based attacks.
  • DDoS mitigation and rate limiting.
  • IDS sensors for early detection of attacks.
  • Advanced routing configuration.
  • Full log of internal and external network traffic.

Data encryption

ITBM in its CulturalGo family of products encrypts all data in transit and in storage:

  • Traffic is encrypted using TLS 1.3 with a modern cipher suite, compatible with TLS 1.2 or higher.
  • User data is encrypted stored throughout the infrastructure using AES-256 or higher.
  • Credentials are encrypted and scrambled with a modern hashing function.

External security audits and penetration tests

Independent third-party assessments are essential to accurately and unbiasedly understanding your level of security. ITBM conducts penetration testing annually at the application and infrastructure level with recognized independent auditors.

In addition, a permanent audit is being carried out with the Security Command Center by Google Cloud tools, ISO certifications and other external audits.

Physical security

ITBM is a cloud-based company and no part of the infrastructure is kept on-premises. Physical security in the offices includes access control based on personal identification, monitoring with closed circuit television and alarm systems.

ITBM data centers are hosted on the Google Cloud Platform infrastructure, where the latest physical security measures are applied.

Disaster recovery and backup

ITBM is committed to providing continuous and uninterrupted service to all customers. We make a backup of user data every 24 hours. All backups are encrypted and distributed to multiple locations, where they are kept for 25 days.

The Disaster Recovery Plan is tested at least twice a year to assess effectiveness and keep teams aligned on responsibilities in the event of a service outage.

Security awareness and training

ITBM understands that security depends on your employees. That’s why all employees receive information security awareness training during onboarding. In addition, additional safety trainings are provided every three months. All employees must sign the Acceptable Use Policy.

Access control

We know that the data you upload to any of the CulturalGo family products is private and confidential. We regularly review user access to ensure proper permissions are in place based on the principle of least privilege. Employee access rights are changed immediately when there is a change in hiring.