To validate OutThink’s operational processes and security stance, we are currently undergoing ISO/IEC 27001:2022 audit, with certification expected by end November 2024.
TRUST CENTER
OutThink Security and Compliance
OutThink takes security extremely seriously. Our security and governance program is focused on the security and privacy of your data. We are continuously assessing and improving our controls and associated processes by driving priorities through our Information Security Management framework.
OutThink has implemented a continuously advancing and improving security practice.
OutThink’s policies, processes, and procedures align with those identified in ISO/IEC 27001 and SOC2. Our existing customers include international banks, large-scale international enterprise organizations, as well as various financial organizations with equally strict security policies and standards.
OutThink takes reasonable and prudent measures to safeguard the security of the customer data in its possession. Our security personnel operate OutThink’s Information Security Management System (ISMS), which encompasses high-quality network security, endpoint security, application security, identity and access control, change management, vulnerability management, supply chain management, disaster recovery, governance & compliance, physical security and people/HR security.
OutThink are listed on the Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) registry, which encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices. You can view OutThink’s listing here.
Software Security
Our software development lifecycle incorporates OWASP’s industry-recommended practices for producing secure code and extended testing to ensure a safe product. Software change at OutThink is delivered through a rigorous Continuous Integration/Continuous Deployment pipeline with mandatory gates at each stage, segregated code peer reviews and high visibility of the changes being delivered.
The OutThink platform undergoes software composition analysis and vulnerability scanning as part of the build process. All source code is developed in Git branches, which are subjected to both static and dynamic application security testing that is triggered on every pull request. Corrective actions are enforced prior to allowing code to the merged to master branches.
Penetration Testing
As part of our security efforts, our platform undergoes frequent and rigorous penetration tests conducted by recognized external companies. All findings are ticketed and managed in OutThink’s internal issue tracking platform, with resolution or mitigation expedited by the Information Security and Engineering Teams. We do not tolerate outstanding critical, high, medium or low severity items.
Customers on our Enterprise plan are permitted to undertake their own security assessments of the OutThink Platform, subject to strict adherence of our Security Assessment Agreement. Contact your Customer Success Representative for more information.
Whether or not you are an Enterprise customer, if you find a vulnerability, please follow our Responsible Vulnerability Disclosure process to report it to our security team.
Human Risk Management
All OutThink employees undergo regular security awareness training and assessments, delivered via the OutThink platform. New joiners are automatically assigned mandatory comprehensive security training. As an organization, we continuously test our employees’ awareness through various types of phishing simulation campaigns, including ground-breaking Microsoft Teams based exercises and individually tailored learning experiences. We also ensure regular scheduled affirmations of policy awareness, for example, our internal Acceptable Use Policy and Information Security Policy.
OutThink are a pioneer in Human Risk Management, and we “eat our own dog food”. We leverage the OutThink platform to comprehend our employee behaviors, attitudes, and intentions during our cybersecurity awareness training and simulations. We integrate with our existing security systems, in particular Microsoft Graph API, Defender and our SIEM to enable us to pinpoint any high-risk groups, dissect the root causes of risk, and address critical questions.
OutThink Sub-Processors
OutThink uses sub-processors to assist in securely providing OutThink’s services. A sub-processor is a third-party data processor engaged by OutThink who agrees to receive personal data from OutThink intended for processing activities to be carried out (i) on behalf of OutThink customers; (ii) in accordance with customer instructions as communicated by OutThink; and (iii) in accordance with the terms of a written contract between OutThink and the sub-processor.
Prior to onboarding sub-processors, OutThink conducts an audit of the security and privacy practices of such sub-processors to ensure the sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Sub-processors are re-authorized upon contract renewal or on an annual basis.
You can view our approved and validated sub-processors here.
OutThink Hosting & resilience
OutThink is a SaaS solution deployed as a multi-tenant, shared-resource architecture that is hosted in Microsoft Azure’s world-class data centers. Microsoft has numerous certifications, including ISO/IEC 27001 and SOC2. For additional clarification, visit the Microsoft Service Trust Portal here.
OutThink is hosted primarily in the Netherlands (EU) and occasionally, we use services located in the Republic of Ireland (EU) when they are not available in the Netherlands.
All data storage is subject to our High Availability & Disaster Recovery (HADR) policies. This includes secure data storage in the secondary location for all data, with automated failover or distributed traffic management in place, as necessary. Storage assets and infrastructure in the backup data center are managed as part of the production environment, with all production controls applying, including data encryption. Our services typically support continual, automated, hands-off failover.
We closely monitor and publish our uptime statistics and our service is subject to strict Service Level Agreements with our customers. You can view our current and historical service levels here.
Authentication and SSO
The OutThink Command Center allows customer administrators to securely sign-in using Single Sign On with either their Microsoft account, or by integrating their corporate Identity Providers via either SAML 2.0 or OpenID Connect.
For calls to the OutThink API, only revocable tokens are accepted.
Business Continuity
In addition to our infrastructure resilience, we are also organized by design to ensure our business continues to operate well in the event of a major disruption. Our teams are located across Europe and the USA, and our technology infrastructure allows for flexible remote working. We perform regular Business Continuity exercises for a variety of scenarios.
Application and database upgrades are performed using the blue/green deployment method making the OutThink Change Management Process transparent to our customers. If a deployment requires a planned outage, we notify our customers via our Customer Success Team and the OutThink platform status page.
Data security
A defense-in-depth strategy is implemented at OutThink, with security and operation fully outlined at the design stage and built from the ground up, and never retrofitted to an existing solution. A fundamental principle applied throughout the platform is the use of encryption for data both residing at rest and in transit.
In addition to encryption, other techniques are employed to ensure adherence to various regulations (such as GDPR) and industry best practices. These include the use of automatic provisioning of infrastructure (a fully hands-off approach) and pseudonymization of personal data.
System Security
OutThink runs its workloads inside private networks behind firewalls, on first-class Microsoft Azure infrastructure.
Permissions to access infrastructure resources are modeled through IAM policies, with multi-factor authentication always required for access, with secure transport protocols enforced. Access to the infrastructure, including storage and databases, is restricted to our OutThink Application Support & Infrastructure teams.
The OutThink system is subject to continuous logging, monitoring, and alerting through our SIEM to keep the support teams informed of operational, capacity, performance, and security issues.
Get Started
Secure your business today.
if you believe in building sustainable security, it’s time to OutThink.
© 2023 OutThink Ltd. Company no. 096433149.