Security is our top priority

The Sam360 management team spearheads the organisation’s Information Security Management Program. The program includes quarterly or annual reviews of the following policies

  • Development Operations
  • Network Security
  • Disaster Recovery Plan
  • Security Incident
  • Safe Place to Work
  • Employment contracts
  • General IT Usage Policy (Workstation Security, Server Security, Equipment Disposal, Password, Remote Access, Mobile Device Management policies are all developed in line with ITIL standards)

The program also includes (at least) an annual review of our regulatory and legal requirements. Sam360’s Business Continuity Plan identifies and helps mitigate risks associated with development operations and information security in particular. Sam360’s policies are clearly documented and relayed to staff as part of our continuous improvement and CPD programs.

Our development guidelines are developed in conjunction with OWASP Development, Testing & Code Review guides.

Sam360 commits extensive resources to the design, implementation, monitoring & maintenance of our security infrastructure. This includes

  • Highly scalable and redundant online infrastructures
  • Constant monitoring of production systems
  • Ongoing threat assessments
  • Rapid deployment of industry standard security technologies

We adhere to the highest security standards for security at every level of the Sam360 experience. You can collect inventory and manage you software estate with confidence. In addition to a 99.9% network uptime guarantee, Sam360 clients also benefit from

  • Data encryption on transfer. All sensitive data is encrypted with AES 256 bit during transfer.
  • Data encryption at rest. All backups are encrypted using AES 256 bit.
  • Role based access controls and auditing
  • AD integration

Data Retention

Customer data is retained in line with the details below.

Record Type Retention Period
Software Utilization Data 7 months or 1 month post project completion
Device & User Data (Hardware details, Software Inventory, User CAL requirements etc.) 1 month post project completion
Client Data (Logon credentials, License Information, System Configuration) 3 months post project completion
Client Communications Permanent

Clients can request that their data be removed immediately after project completion. Once client data is deleted from the live environment, it may remain in encrypted offline backups for up to 3 months.

Third Party Audits, Reviews & Certificates

Sam360 works with organisations of all sizes to enable compliance with the most rigorous of standards.

  • Our international data centers have completed an SSAE 16 Type II SOC 2 audit and earned the SOC3 seal of assurance. The certification documentation can be downloaded below. Further SOC certification information is available here. The certification was granted for period beginning April 2017. Azure SOC Report (PDF)
  • Our servers undergo daily vulnerability scanning using the McAfee Secure Site Service
  • Our Service web site is certified as PCI compliant as a level 1 supplier
  • We’ve completed multiple client ISO 27001 Information Security audits for organisations in financial services and other regulated industries. Client testimonials are available upon request.
  • The service was formally accepted in to UK Government G-Cloud Digital Market Place in January 2016
  • All Web Portal and API access is encrypted with a 2048 bit RSA GoDaddy certificate. Certificate created 2017-12-07, Subject Key ID 6b526919acfee69ec256f7f0c6421210b1bf98f2 and certificate serial number 645aaac35ffe505e
  • All Sam360 installer packages are signed using a Comodo 2048 bit RSA Comodo Code Signing certificate. Certificate created 2016-05-17, Subject Key ID d719bbeeb00fc621a98ad8ba42e14a21123d9f01 and certificate serial number 6e7cd0c0ad3ab45920fec82c0a56c9de

Data Sovereignty

Sam360 offers 3 hosting regions to allow clients to choose where their data is stored and processed. Client data never leaves their selected region. The Sam360 service is hosted entirely on Microsoft Azure. Microsoft Azure has the most comprehensive compliance coverage of any cloud provider. For more details, check here.

Region Primary Servers Location Encrypted Backup Location
North America East US North Central US
Europe North Europe (Ireland) West Europe (The Netherlands)
Australia and New Zealand Australia East Australia South East

For more details on our policy in relation to physical, network and application security, backup and retention, DR/BCP and incident management, please contact us.