Fairmarkit Security Overview

Security policies

In order to comply with its contractual, legal and security requirements, Fairmarkit is enforcing a comprehensive set of security policies, standards and guidelines. Here some examples:

• Governance / Security Management Policy
• Data Classification Policy
• Risk Management Policy
• Acceptable Use and Asset Management Policy
• Data Retention and Destruction Policy
• Privacy Policy
• Vendor Management Policy
• Business Continuity and Disaster Recovery Policy
• Software Development Lifecycle Policy
• Network and System Configuration Policy
• Encryption Management Policy
• Access Management Policy
• Change Management Policy
• Incident Management Policy

‍

Risk management

Risk management process is at the foundation of all Fairmarkit’s security, privacy and compliance activities. Fairmarkit culture is not just about the compliance checklists, but also about taking the right decisions within all layers of its security management activities. Risk assessment and audit exercises are embraced as opportunities for continuous improvement. Management accessibility makes it easy to rapidly raise issues and respond to various threats that the company may face during its day-to-day activities.

‍

Personnel management

Information security is at the foundation of Fairmarkit’s culture. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness. Fairmarkit performs employee background checks during the hiring process, and these new employees undergo security training as part of the orientation process. Depending on the job role, additional training on specific aspects of security may be required, including a confidentiality agreement being signed by employees, contractors, or other third parties who may gain access to confidential information. In the event that an employee, consultant, or contractor’s relationship with the company is terminated, all Fairmarkit property in the custody of that resource shall be returned and all computer and work-related privileges of the individual shall be revoked upon notification.

‍

Business Continuity and Disaster Recovery

Being a pioneer in Procurement means trust and reliability. Incidents may happen at any business. That’s why we take preparedness seriously.  Fairmarkit’s team continuously tests and improves the infrastructure, operation and planning activities to prepare for such events. Regular exercises and training help us stay on top of various threats, security trends and incidents.

‍

Security Team

Fairmarkit employs security and privacy professionals, who are part of our business and technological operations.. The team is tasked with maintaining the company's defense systems, developing security review processes, building security infrastructure and implementing Fairmarkit's security policies. Fairmarkit's dedicated security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.

Within Fairmarkit, members of the information security team review security plans for all networks, systems and services. They provide project-specific consulting services to Fairmarkit's product and engineering teams. They monitor for suspicious activity on Fairmarkit's networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.

‍

Third party vendor management

Fairmarkit’s Security and IT teams are involved with evaluations and reviews of vendors. Prior to outsourcing any IT or information management services, Fairmarkit performs a vendor assessment exercise to confirm the conformity of the service provider security practices to the company's Information Security Policy and legal requirements.

Many of our clients maintain various compliance requirements and operate across regulated industries, including finance, pharmaceutical and manufacturing. For these reasons, Fairmarkit has adopted a comprehensive compliance program based on industry cybersecurity practice, standards and privacy regulations:

SOC 2:

Fairmarkit has undergone a third-party audit to achieve certified Type 2 SOC 2 compliance. The report is available under NDA for customers or prospective customers to review.

ISO 27001:

Fairmarkit has undergone a third-party audit to achieve certified ISO 27001 compliance. The certificate is available for customers or prospective customers to review.

‍

Privacy

Fairmarkit follows the rules and guidelines of various privacy regulations such as GDPR and CCPA. Please refer to our privacy policy for more information.

Data Ownership

Fairmarkit customers own their data, not Fairmarkit. The data that customers put into our systems is theirs, and we do not scan it for advertisements nor sell it to third parties. We offer our customers a detailed data processing amendment, which describes our commitment to protecting customer data. It states that Fairmarkit will not process data for any purpose other than to fulfill our contractual obligations. Furthermore, if customers delete their data, we commit to deleting it from our systems within 90 days. Finally, we make it easy for customers to take their data with them if they choose to stop using our services, without penalty or additional cost imposed by Fairmarkit. 

‍

Data Classification

Data classification is an important part of Fairmarkit’s information security management program. We recognize that not all information requires equivalent security, so we have  differentiated three classifications levels to identify security requirements: Confidential, Internal, and Public. Distinct handling, labeling, and review procedures are also enforced for specific categories, like personal information established for each classification.

‍

Data Retention and Destruction

Since customer data is owned by the customers, active Fairmarkit customers can access, extract, or delete data stored in Fairmarkit. If the subscription is terminated, data is destroyed after the 90 day period upon the contract termination at a level deemed appropriate for the information classification level and context. Furthermore, Fairmarkit is maintaining stringent security practices for data and asset management to avoid unnecessary exposure to cyberthreats and other information security related risks.

‍

Platform architecture

Fairmarkit operates a multi-tenant SaaS platform that uses database level isolation to keep data segregated from multiple customers. This strategy ensures the integrity and security of customer data while maximizing the efficiency and reliability of our systems and the velocity of our engineering teams.

Main platform components include:

• CORE - The primary front-end experience for Fairmarkit users. This is where both buyers and suppliers manage their RFQs, access the marketplace, and see reporting related to their activity.
• Fairmarkit Universal Services Engine (FUSE) - The integration engine of Fairmarkit. FUSE allows recurring syncs to occur between a customer’s ERPs via flat files and/or APIs.
• Andromeda - Fairmarkit’s Recommendation services and machine learning engine. This powers supplier recommendations, controls ranking, and improves with data over time based on user activity.

‍

Access Control

Fairmarkit maintains strong access control policies that apply to employee access to all company’s assets and physical environments. The control processes include, but are not limited to:

• Use of the Principle of Least Privilege
• Unique user identification and authentication
• Multi-factor authentication
• Account provisioning and deprovisioning processes
• Management authorization for access to confidential information
• Secure, encrypted remote access

Furthermore, we regularly review access and roles to ensure only needed and adequate access rights for all.

‍

Configurations

Fairmarkit leverages public cloud services as the foundation for its infrastructure. On top of the best in class IaaS services, all configuration, monitoring and other management activities are aligned with best security practices on the market. Configuration documentation, benchmarking, and testing exercises continuously performed by the team. Fairmarkit maintains staging and testing IT environments to ensure that all systems and changes undergo through a complete lifecycle process, including provisioning, patching, scaling and other changes. Integrity services continuously monitor our infrastructure for misconconfigurations, unauthorized changes, or other technical issues that may impact service security or performance. 

‍

Networking

Fairmarkit SaaS application leverages layered, three-tier architecture and incorporates defense in depth and Zero Trust principles at its foundation. All our production networks are continuously tested and monitored for any potentially unsafe network configurations or activities. All access to our networks is controlled and requires explicit authorization and multi-factor authentication (MFA).

‍

Encryption & Key Management

Data security is a high priority for Fairmarkit. For this reason all confidential data is encrypted at all times. Additionally, we never store passwords or other authentication information in clear text–it is always hashed and encrypted. Our servers support strong encryption protocols  to secure the connections between customers  and Fairmarkit services and APIs. 

‍

Device Management

Fairmarkit leverages an endpoint management solution to make sure that all company devices used for business activities are secured. This solution enforces security configurations such as screen lock, disk encryption, strong password policy, updates, as well as compliance to Acceptable Use Policy. If necessary, endpoints can be locked or wiped remotely.

‍

Software Development Lifecycle (SDLC)

In order to provide a best-in-class platform, Fairmarkit has adopted a flexible development methodology that takes into account various objectives, including those that are critical for business activities, such as privacy and data security. Our SDLC process is constantly monitored for improvement to ensure product quality and compliance with various business objectives. The deployment of our product is done with common industry standard tools and follows best practices. All of our product changes and releases are tested for common security vulnerabilities and code dependencies to ensure compliance to best security practices, such as OWASP TOP 10 and CIS benchmarking.

‍

Independent pen testing exercises

To enforce our engagement efforts toward compliance and product quality, Fairmarkit engages various third party / independent auditing organizations to review our infrastructure, processes and the product. This helps us to stay on top of current risks, vulnerabilities, and trends as well as to improve our practices based on the expertise of external experts.

‍

Authentication

Fairmarkit enforces stringent Access Control Policy for all access. Multi Factor Authentication is mandatory for all employees. We also recommend the use of Federated Authentication for all of our clients.. This configuration allows our clients to enforce   consistent provisioning, operating and monitoring and strong authentication to Fairmarkit and along with other corporate applications.

When not configured with SSO, Fairmarkit offers a complex password policy, as well password  encryption in transit and at rest.

‍

Availability and Reliability

Fairmarkit platform is highly redundant. In the event of datacenter, hardware, software, or network failure, platform services and control planes are automatically and instantly shifted so that platform services can continue operating without interruption. Fairmarkit's highly redundant infrastructure also helps customers protect themselves from data loss. Our highly redundant design has allowed Fairmarkit to achieve an uptime of over 99.9% for the last 2 years with no business-hour downtime. Simply put, when Fairmarkit needs to service or upgrade our platform, users do not experience downtime or maintenance windows.

Change Management

Fairmarkit maintains various staging and testing environments for software development to reduce operational risks and ensure platform continuity. These segregated environments are securely managed. A formal change management process is in place to ensure only authorized changes are taking place. 

‍

Log Reviews

Fairmarkit leverages logging to record all trail activities within its environment.. All logs are centralized in order to  provide a secure and consistent interface for querying and reporting as well as tamper resistant log storage mechanism.

All logs are periodically reviewed by designated staff for malicious activities, malfunctions and performance issues. Based on their utility and retention calendar, logs are securely disposed of or kept for a defined period.

‍

Access Reviews

Fairmarkit performs regular access review exercises for all assets. Role descriptions and privileges updated regularly to avoid any excessive rights or conflict of interests. Responsibility rotations and random review exercises reduce the risks of abuse or possible fraudulent activities. 

‍

Vulnerability management

Fairmarkit performs regular vulnerability scans on all critical business applications and systems. Fairmarkit Information Security Team members regularly monitor threat notification feeds, vulnerability platforms or databases, and other security information sources for up- to-date information on emerging threats, vulnerabilities and exploits.

Additionally, regular security audit exercises are performed to identify new risks, weak security controls and processes. Risk-based remediation activities are documented, approved and applied.

‍

Incident management

We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Fairmarkit's security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61). If an incident involves customer data, Fairmarkit will inform the customer and support investigative efforts via our support team. 

‍

Physical security

As a SaaS platform, Fairmarkit operates completely in the Cloud and distributed environment. Data center physical security is completely outsourced to the service provider, Amazon Web Services (AWS). AWS complies with the highest physical security standards and practices.

Access to every office space and work area containing confidential information is restricted to limit access to those with a need-to-know and controls are in place to protect business IT equipment from theft.

What type of AI does Fairmarkit use?

Fairmarkit leverages advanced AI technologies, including Machine Learning and Generative AI (GenAI), to optimize its platform.

Machine Learning powers the matching engine at the core of the Sourcing module, analyzing event data and past performance to recommend suitable suppliers for RFx and predict relevant categories of goods or services. Meanwhile, GenAI enhances the intake process orchestration and provides strategic and tactical sourcing content suggestions, improving efficiency and decision-making across the application.

‍

If I opt-in to share my data with Fairmarkit, what data is shared and how is it used?

During customer onboarding, Fairmarkit ingests data from historical purchase orders (POs) and transactions, along with taxonomy, to identify buying behavior, desired outcomes, and supplier interactions. We also incorporate data from the customer's supplier database to enhance our supplier recommendations. Once a customer is live, ongoing data sharing focuses on requisitions and POs, allowing customers to use Fairmarkit to capture spend early and drive desired outcomes through the sourcing process.

Customer data related to requisitions, POs, transaction history, locations, quantities, categories, and similar information is never shared externally. In certain cases, supplier contacts may be shared in isolation and without transaction details to improve supplier recommendations, but customers can opt out of this if they prefer.

‍

How does opting out of data sharing affect my organization?

Opting out of sharing supplier contacts can directly impact supplier recommendations and, consequently, the savings realized or the achievement of ESG and diversity targets. To maintain reciprocity and maximize value for all customers, we recommend opting in for supplier contact sharing. This will allow you to benefit from personalized supplier recommendations, enhancing your overall procurement strategy. 

‍

How is Fairmarkit’s machine learning model customized on my data?

Fairmarkit customizes its machine learning capabilities to suit the specific needs of each customer. For supplier recommendations, we use a customer’s data exclusively to define benchmark prices, preferred suppliers, and geo-fence supplier recommendations to relevant plants and business units.

Regarding our generative AI (GenAI) capabilities that rely on large language models (LLMs), we offer customers flexibility and privacy. Customers can opt-out, use open-source LLMs, or utilize our enterprise third-party LLMs, which have zero data retention and privacy agreements to ensure data security.

‍

How do you handle data when it is used to train the machine learning model?

Our models do not use any explicit attribution or identifying information in the learning process. Instead, we use unique identifiers in our system to obscure easy attribution of data to a specific customer, buyer, or supplier, ensuring data privacy and security.

‍

How do you ensure the anonymization of data before it is used to train your model?

Data anonymization can encompass various methods. At Fairmarkit, we use unique identifiers in our system to obscure easy attribution of data to a specific customer, buyer, or supplier. Our models do not use explicit attribution or identifying information in the learning process, ensuring data privacy and security.

‍

Can I opt out of using Large Language Models through Fairmarkit?

Yes, we offer customers the ability to opt out of using our LLM-enabled features. However, please note that this may affect the availability of certain features related to strategic sourcing and intake processes.

‍

At contract termination, what happens to my data?

Since we continuously retrain our machine learning models with the latest data, data from terminated customers is not used in subsequent model training. Specifically, a terminated customer’s data is retained only for a period of up to 90 days after contract termination. Any contributions to the learned model parameters from that customer’s data will decay over time, ensuring ongoing model accuracy and data privacy.

‍

Do I need to clean / organize my data before sharing it with you?

Clean item and service descriptions, along with up-to-date supplier contacts, significantly enhance the effectiveness of our recommendations and automation capabilities. These elements play a vital role in ensuring the accuracy and relevance of our platform's operations, contributing to the overall success of our solutions for customers.

‍

Do you share data with 3rd party language learning models (LLMs)?

While not all AI capabilities in Fairmarkit rely on third-party large language models (LLMs), when we do utilize them, we exclusively use enterprise versions. These third-party LLMs are governed by agreements ensuring zero data retention, aligning with our policy of not using customer data to train data models. This approach ensures data security and confidentiality while leveraging advanced AI technologies to enhance our platform's capabilities.

‍

Does my company retain sole ownership of data assets generated by third party Large Language Models?

All data entered into the Large Language Models belongs to customers, with all output owned and utilized by Fairmarkit to enhance sourcing workflows. Derivative data derived from client data remains the property of the client, unless specified otherwise in contractual agreements.

‍

For how long and why does the 3rd party (LLM) retain my data?

Our enterprise agreement with OpenAI is zero-retention, meaning they do not retain any data we send them. Their enterprise security policy here.

‍

What level of risk is associated with Fairmarkit's AI use cases?

Fairmarkit is considered low risk for all of its current AI use cases. It's important to note that none of our current use cases involve free interaction between users and AI. Even within the context of Intake, the experience is guided and scoped, ensuring controlled interaction. At Fairmarkit, we prioritize client data security and have formally implemented and enforce an AI Security Policy to uphold these standards rigorously.