Information Security Policy

Version 1.1
Last modified: April 2024

In case you need a PDF version of this Policy, you can print this page or request one through the Contact Form on the website.

UbiOps is registered at the Dutch Chamber of Commerce under Dutch Analytics B.V. with registration number 66849381 and with its primary offices at Wilhelmina van Pruisenweg 35, 2595 AN, the Netherlands

Information Security Statement

UbiOps is committed to protecting its user’s data and information, using industry best standards to do so. We understand the importance of data security and do our utmost to ensure that data held and processed by us is protected, using state-of-the-art security practices. 

UbiOps recognizes that the confidentiality, integrity and availability of information and data created, maintained and hosted by UbiOps and its suppliers is vital to the success of the business and privacy of its users. UbiOps views these primary responsibilities to be fundamental to the best business practice and to ensure compliance with all applicable laws, regulations and obligations.

January 2024, The Hague, The Netherlands

Yannick Maltha (CEO) and Victor Pereboom (CTO)

Introduction

A wide range of measures has been implemented to ensure the security and protection of data, intellectual property and other information stored, processed and exchanged using the UbiOps platform. This document provides an overview of the main security standards and features.

Because UbiOps can be used as a Software as a Service (SaaS) solution as well as installed stand-alone in the customer environment (On Premise), some parts of this document contain “On premise additions”. These additions define the differences between them. In general, the on premise variant will receive the same measures and policies as the SaaS solution with addition of the measures and policies in the aforementioned “On premise additions”.

If you are interested in measures related to data privacy & GDPR, please take a look at our privacy policy on our website.

Security Standards & Audits

UbiOps is certified to be compliant with the ISO27001:2017 standard for information security and the NEN7510 standard for processing health related information.

Information Security Management System

To stay compliant with the ISO27001 and NEN7510 standards, UbiOps maintains an information security management system (ISMS) with the end goal of ensuring information security in relation to all processes of UbiOps to ensure the confidentiality, availability and integrity of information on the UbiOps platform and throughout their business operations.

External audits

For the independent assessment of information security, UbiOps has an independent audit carried out at least once a year by a Certifying Body that is accredited for the relevant standards by the Dutch accreditation council (RvA). The audit includes the following information security standards:

• ISO/IEC 27001
• NEN 7510

Security Incident Management

Information Security Incident Management

An information security incident is any event that (potentially) jeopardizes the confidentiality, integrity or availability of information within the organization.

UbiOps has a dedicated process in place for managing information security incidents and keeping track of their origin, classification and resolution status.

In addition to implementing fast and effective resolutions to incidents, incidents are also a tool to continuously improve information security. By thoroughly analyzing information security incidents, UbiOps prevents similar incidents in the future. Therefore, all reported information security incidents are documented.

Data Breaches

A data breach is an example of a security incident. Because of its importance, a separate procedure has been set up for this category. It is important that a data breach is always handled in the same way according to the best practices of the Dutch government body for Information Security (“Autoriteit Persoonsgegevens”).

Incident response and notification

In case of any identified vulnerabilities that might impact users of the UbiOps platform, users will be informed as soon as possible by email with information about the issue, the potential impact and measures we will take to resolve the incident. UbiOps will also inform users on any measures they can take themselves to minimize the potential impact. Fixes and patches will be released on our SaaS solution as soon as they are ready. Customers will be notified beforehand of any impact on uptime, compatibility or performance related to these fixes.

On premise addition: Incident response and notification

Impact will be assessed on a case by case basis by one of our security experts. On-premise users will receive this assessment including an action plan to implement needed fixes. Fixes will be distributed in the form of a new release.

Development process & release management

Dedicated information security specialists

All our developer team members are trained regularly on security and best development practices as a whole. However, several assigned developers, positioned in key areas, have received and keep receiving extra training on security. Internally we call them “security experts”. Together these security experts protect the security of the complete system.

UbiOps communicates its information security policy to all personnel, requiring employees to sign non-disclosure agreements, and provides ongoing privacy and security training.

Source code management

The UbiOps platform is developed using modern version control standards. This means that great care is taken on logging changes and versions of the source code. Errors or bugs can be traced back through version history. The source code is also split into multiple parts, this eases access control and provides a separation of concerns.

Access control

Access to the UbiOps source code and all related development tools and platforms are secured using role based access control methods. Access is given only when needed. Password requirements are in line with the best practices. On top of this Two-factor authentication is mandatory, providing an extra layer of security.

VPN

Access to all our software development tools, including git, and development environments is only possible through our company network. Access from any other network, for example when working from home is secured by VPN. 

Feature development

Our software is developed using the principles of Agile Software Development (Scrum). New features will always be tested, developed and evaluated completely separate from the current main source code. When this development is done, the feature will be subjected to multiple code reviews before a merge into the main source code after successful testing. 

Software testing

Unit tests & Integration tests are a standard part of the development and release methodology. This also includes tests of security aspects. Automated integration tests are performed on every new version and installation of UbiOps. 

Security review

A review of our internal security measures is performed periodically. This review uses a security checklist which is compiled using sources such as the OWASP and CIS benchmarks. This checklist has been verified with external Cyber Security Experts and priorities have been set accordingly. The topics addressed are:

• Technology: how to design and write software with security in mind. E.g., on the checklist are encryption of customer data, isolation of workloads using firewalls, container security.
• Company wide security measures: ensure that employees work securely and do not have more permissions than needed. This includes raising awareness of security policies within UbiOps, using 2FA for all company accounts, and different access levels for different roles in the company.
• Software development process: the way software is written and released in UbiOps applies to certain standards. Some examples are: separate development, staging and production environments, a small group of system administrators, use of a secrets manager for all access.

New releases

The SaaS version of UbiOps will be updated automatically when new features are ready and stable for normal operation. Users will be informed in advance about new releases at least 1 week before new functionality is releases. In case of breaking changes a compatibility or conversion process will be implemented, allowing users to switch without problems. An example of one of these systems would be a compatibility layer to support deprecated API versions. Such systems will also keep receiving security updates.

On premise addition: New releases

For on-premise installations, new functionality will be released and installed in agreement with the customer. Because our architecture makes use of Kubernetes and Docker images, deploying new patches and functionality is simple and efficient, with low risk of downtime.

Technical security measures in the UbiOps platform

User management & Authentication

User and Permission system

UbiOps has built-in functionality for managing users, including their roles and permissions. This provides a way to allow or restrict view and edit rights for all objects within UbiOps on a granular level. An example would be restricting the permissions of an employee to only the projects he or she is working on.

Authentication

UbiOps user accounts are secured with a password and additional two-factor authentication. Password requirements are in line with the latest best practices. Furthermore, UbiOps has a built-in option for enabling two-factor authentication for all UbiOps users in an organization.

UbiOps also supports Single Sign-On (SSO). This way customers can use their own Identity Providers for authentication. 

Supported Identity Providers:

• Google Gmail & Google Workspace
• Microsoft Entra (Active Directory)
• Custom SSO integrations are possible upon request for private UbiOps installations

Permission management & role based access control

Granular role based access & permission control is available in the UbiOps platform and can be configured by organization administrators.

Entities like models, connectors and pipelines are logically separated within projects inside a UbiOps organization (account) and access can be restricted by an administrator.

API

Access to the UbiOps API is secured by time-limited, token-based access control. These tokens are linked to service users. These service users can be subjected to the same granular role-based access and permission management system as normal users.

Data management

Secure data storage

Data is encrypted, both in-transit and at-rest. Data in model requests and related logs are not stored in UbiOps in any permanent way. UbiOps is a platform for hosting data processing operations, not intended for long-term data storage. 

UbiOps offers ways to manage secrets, like database credentials, securely outside the code uploaded by a user in the form of environment variables.

Data storage location

The UbiOps Cloud (SaaS) platform is hosted at cloud service providers in the European Union. All data being processed or stored within UbiOps is always within this region and will never be transferred to another region without a user’s consent.  

Continuity & Disaster Recovery

UbiOps has systems in place to resume operation after an incident. These systems include but are not limited to:

• Regular encrypted backups to multiple storage facilities within the operating region.
• Fast transition of critical platform infrastructure to another data center within the operating region in case of a data center failure.

Backups and redundancy

Daily backups of UbiOps Cloud are made to minimize data loss in the event of a critical incident. This includes databases and model containers themselves. With minimal data loss it is also possible to get the system to a previously working state quickly, preventing downtime.

Redundancy is applied on multiple levels. Our cloud service providers apply redundancy to their servers. Furthermore, depending on the installation, UbiOps uses multiple master nodes within Kubernetes to add an additional level of redundancy.

Low level isolation of workloads

In UbiOps every model has its own container environment. Minimal permissions are used for both file system access as network access from inside containers. Workloads cannot access each other directly over the network, but only via our API. Containers run as a dedicated service user with minimal privileges.

On premise addition: Infrastructure

In a local, on-premise installation, UbiOps will run inside the virtual private cloud environment of the customer. UbiOps does not require any communication outside of the perimeters of the VPC environment and has no public facing endpoints in this respect. The customer has the option to set up additional networking and firewall services and rules, restricting access to UbiOps from outside the customer environment. Access control to the infrastructure resources where UbiOps runs will be controlled by the customer. It is important to note that, while this gives more flexibility to the security measures on an infrastructure level, the security on this level is the responsibility of the customer.