Security

Overview

Integration is everything we do at Ferrio, so we truly understand the need to keep the data we handle safe. All of your organisation's data is sensitive, not just your financial data or personally identifiable information covered under GDPR and similar legal frameworks, so the same rules are applied across the product.

Data Retention

Ferrio Connect is an integration platform, not a storage platform. We retain as little data as possible and delete data permanently and immediately when it is no longer needed.
We do need to retain some data to allow features like loop detection in multi-directional integrations and run history logging. You can configure how long this data should be stored for, as well as view and manually delete data from the portal. Some integration platforms store separate logs that are hidden to end users for internal troubleshooting processes. We do not store any additional data to what you can view and control in the portal.
Data is encrypted at rest and stored in ISO 27001 compliant data centres from major providers (currently Microsoft Azure). Your account settings allow you to configure which region your data is stored in.

Data In Transit

We use TLS 1.2 wherever possible, however we can be limited by the capabilities of the APIs we communicate with. Some older products do not support TLS 1.2 and in these cases we must use the relevant security protocol. In these cases, the relevant protocol is only used for calls to the specific API.

Personally Identifiable Information

Personally identifiable information (PII) is any data that could potentially be used to identify a particular person, and is covered by various legal frameworks around the world including GDPR, the UK Data Protection Act (UKDPA), and CCPA. Some of the data we handle may constitute PII, such as contact data received from CRM systems or social networks.

PII is handled no differently to other data in Ferrio Connect; as little data as possible is stored for the shortest timeframe possible, all the data we store is visible to you, storage timeframes are configurable by you, and all data is encrypted at rest.

Access Control

Access Control covers two areas - user access to the Ferrio portal, and Ferrio platform access to connected applications.

Ferrio Connect uses Auth0 to allow sign in with trusted authentication providers, such as Google and Microsoft AD. Additional security layers such as MFA are handled by these authentication providers.

To communicate with connected applications, Ferrio Connect must store credentials. These are typically OAuth tokens generated when you sign in to a application, but this ultimately depends on the protocols used by the applications we are connecting to. In some cases, particularly when communicating with older applications, we may need to store a username and password. In all cases, credentials are encrypted at rest.

Change & Vulnerability Management

Security is at the core of our development process and our culture encourages security as the first consideration before adding any new feature or connection to the product. OWASP Top Ten principles (https://owasp.org/www-project-top-ten/) are followed throughout the product design process. We conduct peer review of all new code with security as a primary consideration, from new platform level features to bug fixes, as per industry standard approaches.

We carry out automated security scanning of software before release to production to mitigate supply chain attacks.