Security overview

Wiki (en)
1

Questions on various aspects of information security are being asked. This topic provides an overview about generic security-related topics on Invantive technology.

Generic

Procedural

The following topics provide background on procedural issues:

Compliance

Invantive focuses on internal control using user controls, process controls and application controls.

Neither Invantive software products nor hosted products are tested or audited periodically by an external party. When required, Invantive can introduce an Invantive partner for such additional services.

Customers may request an Escrow Agreement in line with article 11 of the Invantive conditions:

11.5 Subscriber and Supplier agree that the Subscriber may request an Escrow Agreement with a third party approved by the Supplier and to be approved by Subscriber in the event a Subscription Agreement is currently in effect between the parties at the time the request is submitted. On this basis, the Supplier will file a copy of the source code for the Software with this third party. All of the costs associated with this Escrow Agreement are at the Subscriber"s expense.
11.6 Any escrow agreement terminates automatically when the Subscription Agreement ends. After expiration of the Subscription Agreement, the Subscriber may no longer derive any rights from the escrow agreement.
11.7 The third party referred to in previous Article will make the source code available to Subscriber or its legal successors in the event Subscriber notifies the third party in a registered letter that the following cumulative conditions have been satisfied, and that these cumulative conditions continued to be satisfied in the 30 days subsequent to that:

  • A petition is filed for the bankruptcy of the Supplier;
  • The Supplier is declared bankrupt;
  • A moratorium is granted to Supplier (temporary or otherwise);
  • After one of the aforementioned circumstances has arisen, Subscriber does not appear to have been notified, through the receipt of a registered letter from the Supplier, that a third party will be taking over the Supplier"s maintenance obligations.

11.8 The Subscriber will send a copy of the letter it is to send by registered post as referred to in the previous Article, immediately and also by registered post to Supplier.
11.9 After the source code for the Software has been released as stipulated in this article, Subscriber is entitled to maintain the Software itself (or have this done), also including the translation of or otherwise making the Software suitable for use in combination with new versions or releases of the Equipment, the repair of any Errors and the application of improvements to the Software.
11.10 From the time the source code for the Software is released as stipulated in this article, Subscriber is also entitled to make the Software interoperable with other computer software belonging to it or third parties, and for that purpose, to transpose the Software to other copies or versions of the Equipment and to remove any protection (or in fact apply it) present in the Software.

Confidentiality is according to article 14 of the Invantive conditions:

Article 14. Confidentiality
14.1 Parties will make every effort to prevent confidential information belonging to the other party from being disclosed or made available to third parties. None of this applies in the event the party disclosing the information demonstrates that certain details have already become public knowledge, as a result of actions other than a violation of this confidentiality requirement.
14.2 Supplier is not permitted to announce in advertisements, promotional messages or other activities within the scope of its marketing efforts the fact that Subscriber is one of its clients, with the exception of prior written permission from Subscriber.
14.3 The Supplier is responsible for an appropriate level of security on the server at the system level.
14.4 The security measures shall be at an appropriate level, given the current state of technology, the sensitive nature of the data and the costs associated with taking security measures.
14.5 The Subscriber is responsible for a sufficient degree of security at the Software level (including but not restricted to user codes, passwords, functional separation within the application, etc.). The Subscriber is also responsible for a sufficient degree of physical security, as well as the security of the Subscriber’s own network.

Data

Cloud-based Products

With cloud-based products, your data flows through an Invantive server and local caches can be maintained. These products include:

  • Invantive Cloud
  • Invantive Bridge Online
  • Invantive App Online
  • Get My Report
  • Valuta Tools

When stored on disk, the caches are stored in an encrypted format. Log files are stored without encryption and can include some business data such as with an error message, but security sensitive data is skipped from logging and typically replaced by ‘***’.

Cloud-based products also log to Invantive servers as described in the next section.

On-premise Products

With on-premise products, only a limited part of your data is sent to Invantive servers. The communication is directly between the on-premise product and the cloud platforms. The following data is collected and sent to Invantive servers:

  • partition use and statistics
  • table use and statistics
  • user identifications
  • errors

This data is used for billing, audit and optimization. Most errors, partition use and user identifications are visible in System Messages on Invantive Cloud. Most table use and statistics are visible through Session I/Os. Invantive Cloud shows most recent data, but this data plus more details are logged for an extended period of at least three months.

Invantive SQL Data

Product-specific

Invantive Cloud

Platform-specific

Exact Online

ANSI SQL