In order to comply with its contractual, legal and security requirements, Fairmarkit is enforcing a comprehensive set of security policies, standards and guidelines. Here some examples:
- Governance / Security Management Policy
- Data Classification Policy
- Risk Management Policy
- Acceptable Use and Asset Management Policy
- Data Retention and Destruction Policy
- Vendor Management Policy
- Business Continuity and Disaster Recovery Policy
- Software Development Lifecycle Policy
- Network and System Configuration Policy
- Encryption Management Policy
- Access Management Policy
- Change Management Policy
- Incident Management Policy
Risk management process is at the foundation of all Fairmarkit’s security, privacy and compliance activities. Fairmarkit culture is not just about the compliance checklists, but also about taking the right decisions within all layers of its security management activities. Risk assessment and audit exercises are embraced as opportunities for continuous improvement. Management accessibility makes it easy to rapidly raise issues and respond to various threats that the company may face during its day-to-day activities.
Information security is at the foundation of Fairmarkit’s culture. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness. Fairmarkit performs employee background checks during the hiring process, and these new employees undergo security training as part of the orientation process. Depending on the job role, additional training on specific aspects of security may be required, including a confidentiality agreement being signed by employees, contractors, or other third parties who may gain access to confidential information. In the event that an employee, consultant, or contractor’s relationship with the company is terminated, all Fairmarkit property in the custody of that resource shall be returned and all computer and work-related privileges of the individual shall be revoked upon notification.
Business Continuity and Disaster Recovery
Being a pioneer in Procurement means trust and reliability. Incidents may happen at any business. That’s why we take preparedness seriously. Fairmarkit’s team continuously tests and improves the infrastructure, operation and planning activities to prepare for such events. Regular exercises and training help us stay on top of various threats, security trends and incidents.
Fairmarkit employs security and privacy professionals, who are part of our business and technological operations.. The team is tasked with maintaining the company's defense systems, developing security review processes, building security infrastructure and implementing Fairmarkit's security policies. Fairmarkit's dedicated security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.
Within Fairmarkit, members of the information security team review security plans for all networks, systems and services. They provide project-specific consulting services to Fairmarkit's product and engineering teams. They monitor for suspicious activity on Fairmarkit's networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.
Third party vendor management
Fairmarkit’s Security and IT teams are involved with evaluations and reviews of vendors. Prior to outsourcing any IT or information management services, Fairmarkit performs a vendor assessment exercise to confirm the conformity of the service provider security practices to the company's Information Security Policy and legal requirements.
Many of our clients maintain various compliance requirements and operate across regulated industries, including finance, pharmaceutical and manufacturing. For these reasons, Fairmarkit has adopted a comprehensive compliance program based on industry cybersecurity practice, standards and privacy regulations:
Fairmarkit has undergone a third-party audit to achieve certified Type 2 SOC 2 compliance. The report is available under NDA for customers or prospective customers to review.
Fairmarkit has undergone a third-party audit to achieve certified ISO 27001 compliance. The certificate is available for customers or prospective customers to review.
Data and Product Security
Fairmarkit customers own their data, not Fairmarkit. The data that customers put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties. We offer our customers a detailed data processing amendment, which describes our commitment to protecting customer data. It states that Fairmarkit will not process data for any purpose other than to fulfill our contractual obligations. Furthermore, if customers delete their data, we commit to deleting it from our systems within 90 days. Finally, we make it easy for customers to take their data with them if they choose to stop using our services, without penalty or additional cost imposed by Fairmarkit.
Data classification is an important part of Fairmarkit’s information security management program. We recognize that not all information requires equivalent security, so we have differentiated three classifications levels to identify security requirements: Confidential, Internal, and Public. Distinct handling, labeling, and review procedures are also enforced for specific categories, like personal information established for each classification.
Data Retention and Destruction
Since customer data is owned by the customers, active Fairmarkit customers can access, extract, or delete data stored in Fairmarkit. If the subscription is terminated, data is destroyed after the 90 day period upon the contract termination at a level deemed appropriate for the information classification level and context. Furthermore, Fairmarkit is maintaining stringent security practices for data and asset management to avoid unnecessary exposure to cyberthreats and other information security related risks.
Fairmarkit operates a multi-tenant SaaS platform that uses database level isolation to keep data segregated from multiple customers. This strategy ensures the integrity and security of customer data while maximizing the efficiency and reliability of our systems and the velocity of our engineering teams.
Main platform components include:
- CORE - The primary front-end experience for Fairmarkit users. This is where both buyers and suppliers manage their RFQs, access the marketplace, and see reporting related to their activity.
- Fairmarkit Universal Services Engine (FUSE) - The integration engine of Fairmarkit. FUSE allows recurring syncs to occur between a customer’s ERPs via flat files and/or APIs.
- Andromeda - Fairmarkit’s Recommendation services and machine learning engine. This powers supplier recommendations, controls ranking, and improves with data over time based on user activity.
Fairmarkit maintains strong access control policies that apply to employee access to all company’s assets and physical environments. The control processes include, but are not limited to:
- Use of the Principle of Least Privilege
- Unique user identification and authentication
- Multi-factor authentication
- Account provisioning and deprovisioning processes
- Management authorization for access to confidential information
- Secure, encrypted remote access
Furthermore, we regularly review access and roles to ensure only needed and adequate access rights for all.
Fairmarkit leverages public cloud services as the foundation for its infrastructure. On top of the best in class IaaS services, all configuration, monitoring and other management activities are aligned with best security practices on the market. Configuration documentation, benchmarking, and testing exercises continuously performed by the team. Fairmarkit maintains staging and testing IT environments to ensure that all systems and changes undergo through a complete lifecycle process, including provisioning, patching, scaling and other changes. Integrity services continuously monitor our infrastructure for misconconfigurations, unauthorized changes, or other technical issues that may impact service security or performance.
Fairmarkit SaaS application leverages layered, three-tier architecture and incorporates defense in depth and Zero Trust principles at its foundation. All our production networks are continuously tested and monitored for any potentially unsafe network configurations or activities. All access to our networks is controlled and requires explicit authorization and multi-factor authentication (MFA).
Encryption & Key Management
Data security is a high priority for Fairmarkit. For this reason all confidential data is encrypted at all times. Additionally, we never store passwords or other authentication information in clear text–it is always hashed and encrypted. Our servers support strong encryption protocols to secure the connections between customers and Fairmarkit services and APIs.
Fairmarkit leverages an endpoint management solution to make sure that all company devices used for business activities are secured. This solution enforces security configurations such as screen lock, disk encryption, strong password policy, updates, as well as compliance to Acceptable Use Policy. If necessary, endpoints can be locked or wiped remotely.
Software Development Lifecycle (SDLC)
In order to provide a best-in-class platform, Fairmarkit has adopted a flexible development methodology that takes into account various objectives, including those that are critical for business activities, such as privacy and data security. Our SDLC process is constantly monitored for improvement to ensure product quality and compliance with various business objectives. The deployment of our product is done with common industry standard tools and follows best practices. All of our product changes and releases are tested for common security vulnerabilities and code dependencies to ensure compliance to best security practices, such as OWASP TOP 10 and CIS benchmarking.
Independent pen testing exercises
To enforce our engagement efforts toward compliance and product quality, Fairmarkit engages various third party / independent auditing organizations to review our infrastructure, processes and the product. This helps us to stay on top of current risks, vulnerabilities, and trends as well as to improve our practices based on the expertise of external experts.
Fairmarkit enforces stringent Access Control Policy for all access. Multi Factor Authentication is mandatory for all employees. We also recommend the use of Federated Authentication for all of our clients.. This configuration allows our clients to enforce consistent provisioning, operating and monitoring and strong authentication to Fairmarkit and along with other corporate applications.
When not configured with SSO, Fairmarkit offers a complex password policy, as well password encryption in transit and at rest.
Availability and Reliability
Fairmarkit platform is highly redundant. In the event of datacenter, hardware, software, or network failure, platform services and control planes are automatically and instantly shifted so that platform services can continue operating without interruption. Fairmarkit's highly redundant infrastructure also helps customers protect themselves from data loss. Our highly redundant design has allowed Fairmarkit to achieve an uptime of over 99.9% for the last 2 years with no business-hour downtime. Simply put, when Fairmarkit needs to service or upgrade our platform, users do not experience downtime or maintenance windows.
Fairmarkit maintains various staging and testing environments for software development to reduce operational risks and ensure platform continuity. These segregated environments are securely managed. A formal change management process is in place to ensure only authorized changes are taking place.
Fairmarkit leverages logging to record all trail activities within its environment.. All logs are centralized in order to provide a secure and consistent interface for querying and reporting as well as tamper resistant log storage mechanism.
All logs are periodically reviewed by designated staff for malicious activities, malfunctions and performance issues. Based on their utility and retention calendar, logs are securely disposed of or kept for a defined period.
Fairmarkit performs regular access review exercises for all assets. Role descriptions and privileges updated regularly to avoid any excessive rights or conflict of interests. Responsibility rotations and random review exercises reduce the risks of abuse or possible fraudulent activities.
Fairmarkit performs regular vulnerability scans on all critical business applications and systems. Fairmarkit Information Security Team members regularly monitor threat notification feeds, vulnerability platforms or databases, and other security information sources for up- to-date information on emerging threats, vulnerabilities and exploits.
Additionally, regular security audit exercises are performed to identify new risks, weak security controls and processes. Risk-based remediation activities are documented, approved and applied.
We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Fairmarkit's security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61). If an incident involves customer data, Fairmarkit will inform the customer and support investigative efforts via our support team.
As a SaaS platform, Fairmarkit operates completely in the Cloud and distributed environment. Data center physical security is completely outsourced to the service provider, Amazon Web Services (AWS). AWS complies with the highest physical security standards and practices.
Access to every office space and work area containing confidential information is restricted to limit access to those with a need-to-know and controls are in place to protect business IT equipment from theft.