Working Practices

Breato's comprehensive privacy and security program includes communicating with personnel and customers about current issues and best practices.

Internal training and communications for Breato personnel

Breato regularly communicates with our personnel about our obligation to safeguard confidential information, including customer data and personal information.

• Breato provides classroom training around confidentiality, privacy, and information security for all new employees during its monthly new hire orientation.
• All Breato personnel are required to complete an annual privacy and security training and are tested on the materials presented.
• Breato communicates with all personnel about privacy and information security awareness through monthly newsletters.

Customer end user awareness

Breato strongly encourages all of our customers and users to adopt industry-standard solutions to secure and protect their authentication credentials, networks, servers, and computers from security attacks.

• We communicate with our customers about current issues and trends through our web site, http://www.breato.com.
• We email end users about specific security issues when warranted.
• We publish a Security Implementation Guide for customers to learn more about how to implement customer-controlled security settings. The Security Implementation Guide is available in the Security section of the Breato web site, http://www.breato.com.

People

Breato has multiple organizations, teams, and individuals responsible for security and security-related matters, including a Chief Technology Officer, responsible for information security, product security, corporate security, enterprise risk management and technology audit and compliance, and a Privacy Counsel, responsible for Breato's privacy program, including compliance with applicable privacy and data-protection laws. Additionally, all Breato personnel are following Breatos confidentiality, privacy, and information security policies.

Technology

Breato maintains a comprehensive array of technical measures to protect the Breato service and offers a robust set of customer-controlled settings to further heighten privacy and security protection.

Default privacy and security features

Application features that protect customer data

• Connection to the Breato service is via secure socket layer/transport layer security (SSL/TLS), ensuring that our customers have a secure connection to their data. Individual user sessions are uniquely identified and re-verified with each transaction.
• Customers passwords are not accessible by Breato personnel.
• Application logs record the creator, last updater, timestamps, and originating IP address for every record and transaction completed.

Logical separation of customer data

• Hardware and software configurations are designed to provide secure logical separations of customer data that permit each customer to view only its related information.
• Multi-tenant security controls include unique, non-predictable session tokens, configurable session timeout values, password policies, sharing rules, and user profiles.
• The Breato service supports delegated authentication.

Network security measures

• Multiple layers of external firewalls
• Intrusion-detection sensors
• Security event management system
• Continuous external vulnerability scanning

Redundancy and scalability

The Breato service is highly scalable and redundant, allowing for fluctuation in demand and expansion of users while greatly reducing the threat of long-term outages. Load-balanced networks, pools of application servers, and clustered databases are features of our design.

Disaster recovery

All customer data is stored in secure data centres and is replicated over secure links to a disaster recovery data centre. This design provides the ability to rapidly restore the Breato service in the case of a catastrophic loss.

Backups

In addition to our disaster-recovery capabilities, customer data is also backed up to disk in a separate data centre.

Customer-Controlled Privacy and Security Settings

• Customers may determine which of their respective designees can access different categories of data.
• Customers may set customizable password rules.
• Customers may define log-off times for inactivity.
• By default, Breato's Identity Confirmation feature automatically recognizes whether a user is logging in from an IP address or device that has been previously used. Unrecognized IP addresses or devices prompt identity re-verification.
• Customer may enable Breato's IP Range Restrictions feature that enables customers to restrict the range of IP addresses from which its designees may log in. The 'Restricting Login Ranges for Your Organization' section of the Breato User Guide is available to customers in the Help and Training section of the Breato service.
• Customers may create custom fields that are encrypted in storage for sensitive information types. The 'About Encrypted Custom Fields' section of the Breato User Guide is available to customers in the Help and Training section of the Breato service.

Home...