SaaS security
Our Squash SaaS offer is built to be simple, efficient, and secure. You will find further informations about the hosting policy of our Squash SaaS offer, its infrastructure, and its security below.
Hosting
Henix's SaaS Squash product offers a Squash TM instance and optionally the bug and issue tracker Jira Cloud (owned by Atlassian).
Squash TM Hosting
The Squash TM SaaS instance provided by Henix, as well as its data and backups, is hosted in data centers physically located in France and monitored by companies under French law.
The hosting companies involved in Henix's SaaS Squash offer are:
- Scaleway - https://www.scaleway.com/en/
- OVHcloud - https://www.ovhcloud.com/en/
The physical access to our client's server is strictly monitored by our hosting providers, they own several certifications:
- ISO 27001: 2013 - Security management system
- ISO 50001: 2018 - Energy management certificate
- GDPR
- Tier 3 Uptime Institute: 2014
- SWIPO
You can find more information on their official websites:
- Scaleway: https://www.scaleway.com/en/security-and-resilience/
- OVHcloud: https://www.ovhcloud.com/en/compliance/
Jira Cloud hosting (Atlassian)
If the client chooses the Squash SaaS offer with the synchronization of the Atlassian's JiraCloud product, the JiraCloud instance is hosted directly by Atlassian and follows their official's directive. Henix cannot guarantee that the data synchronized between Squash TM and JiraCloud will remain in French datacenters and will keep being hosted by companies under French law. The client is advised to inquire with Atlassian if it wishes to control or to know more about the hosting sites of their product. Atlassian asserts the respect of official European requirements, including confidential recommandations (GDPR).
GDPR
Our SaaS offer is in accordance with General Data Protection Regulation (GDPR) requirements:
- No personal data are processed or needed to ensure smooth operation of hosted applications. Users are responsible for the data entered in the applications and Henix does not apply any processing other than that necessary for its service commitments (backups, connection logs);
- Henix does not employ subcontractor companies that would process personal data or work with non-European infrastructure;
- Only authorized personnel have access to relevant data;
- Access to Henix's premises is secure.
Any client can contact Henix through the website contact form in order to assert their rights:
- The right of access: individuals have the right to request a copy of any of their personal data as well as other relevant information;
- The right to rectification: individuals have the right to request rectification other their data kept by Henix;
- The right to erasure: individuals have the right to have their data erased, without undue delay, if one of the GDPR grounds apply;
- The right to data portability: individuals are entitled to obtain their data in structured, commonly used and machine-readable form.
Infrastructure and Security
Application Architecture
Henix's Squash SaaS offer is based on the following components:
- Apache2;
- Squash TM and its built in web server;
- Java execution environment (long term support release only);
- PostgreSQL databases;
- Optional: Xsquash-Cloud for the JiraCloud offer.
All of these working in a virtualized environment on a Linux-based operating system (stable Debian distribution currently being supported).
Squash TM Access Management Policy
Access control are guided by the principle of least privilege. An application account with a Squash TM administrator role is given to the client when the SaaS is delivered and any new user account created in Squash-tm has, by default, no access or visibility to any existing project. It's the role of the administrative account to create user accounts and to give read and write rights for each project and each user.
To access Squash TM, users must enter their username and password, accounts are created and managed by the customer. The implementation of an optional Single sign-on (“SSO”) authentication is possible on request. Supported protocol is SAML 2.0.
Logging Policy
The access and activity logs (“logs”) of the Squash TM application are kept for one month and an automatic log rotation is in place. All SaaS system and network activities are registered in log files and can only be accessed by system and network administrators as well as their IT manager. Squash TM application logs are also available to software administrator accounts and the help desk team.
Business Continuity Plan
Henix has a business continuity plan which guarantees minimal impact for our customers and application availability over the year in accordance with the General Terms and Conditions of Sale (GTC). Daily, multiple, tested and redundant backups (on several hosts) of the applications and their database allow a maximum admissible data loss of 24 hours (worst case scenario). The backup policy is described in the GTC.
System and network security
The hosting of all Squash TM SaaS instances is distributed over several servers, each client being in its own container isolated from the others with its own public IP. The firewall only allows encrypted flows via HTTPS (minimum TLS 1.2 protocol). No other streams are allowed. Henix's system and network administration team is the only one to have access to the underlying logical infrastructures of Henix's SaaS offer. Physical access to our servers is strictly controlled by our hosts providers.
Security Control Framework
For each SaaS instance, operating system security updates (including web server type middleware, databases, Java environment, etc.) are performed automatically within 24 to 48 hours of being made available on official repositories. Non-critical operating system updates are installed weekly using the same procedure.
Regarding application security updates for the SaaS offer (Squash TM, XsquashCloud), customers are notified as soon as possible by email of the release of this update as well as the time slot in which the SaaS application(s) will be updated. Updates always take place outside working hours (corresponding to the opening hours of Squash Help desk team).
JiraCloud update depends on Atlassian policy.