CoreView security overview

Our application adheres to the following certifications:

• ISO 9001: Quality Management System
   
• ISO 27001: Information Security Management
   
• ISO 27018: Protection of Personal Data in the Cloud
   
• SOC 2 Type 2 and Type 3: Service Organization Control for Security, Availability, Processing Integrity, Confidentiality, and Privacy

Additionally, we have plans to achieve IRAP certification in 2025.

• Our application is hosted on Microsoft's Azure cloud platform, with data centers located in:
  • Europe
  • United States, US (GCC)
  • Canada
  • Australia
  • United Kingdom.
     
• We ensure logical partitioning of customer tenants to maintain data separation and security.
   
• To guarantee continuous monitoring and security, our platform is observed around the clock using a combination of:
  • Microsoft Sentinel
  • Azure Monitoring
  • Azure Application Insights
  • Zabbix
  • Graphana
  • and Sysdig.
     
• For real-time updates on our system's status, please visit our public status dashboard at https://status.coreview.com

• We ensure that all data is encrypted both in transit and at rest using 256-bit AES encryption.
   
• Only metadata is collected, using Graph API and service accounts with the Global Reader role. These accounts are secured through Conditional Access policies, restricting access to specific IP addresses.
   
• For US Government customers, data is hosted in the Microsoft Azure Government Computing Cloud (GCC).

• Our application is hosted in Azure, leveraging Microsoft's physical data center controls.
   
• Privileged access by CoreView personnel is strictly based on job necessity, facilitated through a set of security facilities combined with jumpboxes with exclusive access to specific IP addresses.
   
• All activities are logged in a SIEM platform, with video recordings of sessions retained for 10 years.

• Operators use Single Sign-On (SSO) with Microsoft accounts, ensuring no credentials are stored in CoreView.
   
• Multifactor authentication is enforced for added security.
   
• For advanced management mode, service account details are securely stored in Azure Key Vault.

• We conduct ongoing and continuous monitoring of virtual machines, networks, and services using Microsoft Defender for Cloud.
   
• Static code analysis is integrated into our Continuous Integration process.
   
• Code quality is maintained through a rigorous Pull Request process, reviewed by a dedicated team of Senior Software Engineers.
   
• We check software package vulnerabilities using Trivy.

• All staff are required to complete annual security and compliance training.
   
• Background checks are conducted during the hiring process.
   
• End-user computers are protected with various tools like Microsoft Intune, DLP, Microsoft Defender, and firewalls.
   
• We conduct constant simulations of phishing, social engineering, and other cybersecurity threats to maintain a high level of security awareness.
   
• Only a set of specific employees, that have signed a specific agreement with CoreView, are authorised to access data-centers directly in case of Incidents. 

• We have a documented Business Continuity Plan that is tested every 12 months.
   
• Disaster Recovery and Backup/Restore procedures are regularly updated and tested as part of our Industry Standards Certification process.
   
• Automated patching is managed through Azure Update Manager, ensuring no impact on live services.
   
• We maintain a Service Level Agreement (SLA) of 99.9%.

• We use Microsoft Web Application Firewall for continuous attack protection.
   
• Regular penetration testing is conducted by a third-party security company at least once a year.
   
• Keys and passwords are rotated constantly to enhance security.