SaaS Vendor Qualification

Transcription

1 SaaS Vendor Qualification

2 Samanage recognizes our customer s due diligence responsibility, in the selection of any cloud service, to protect the interests of their customers, shareholders and employees. This document is designed to answer the typical questions we receive from information security professionals concerning our information security processes and practices. Company Name: Services Offered: Service Classification: Samanage USA Inc IT Asset Management and integrated Service Desk SaaS/Cloud GENERAL 1. How long has Samanage been in business? Answer: Since In what jurisdiction / region is your company incorporated? Answer: Samanage USA Inc. is a Delaware corporation with its headquarters in Cary, NC. 3. What is the annual revenue of your company (USD)? Answer: Samanage is a private company and does not disclose its revenues. 4. Please describe, in general terms, the viability of your company and the Service over the next two years (i.e. growth, venture capital, innovation, etc.). Answer: Samanage has tripled annual growth by over three consecutive years. In 2014, Samanage increased its customer base by 90 percent, with customers now in 51 countries. Read more on Samanage growth and momentum. Samanage is financed by leading Venture Capital firms: Carmel Ventures: Gemini: Marker LLC: Vintage Investment Partners: Page 2

3 5. How long has your company been providing the Service? Answer: The Samanage IT Asset Management solution was introduced in The Service Desk was introduced in What percentage of your company s annual revenue is generated from the Service? Answer: 100% of the company s revenue comes from its SaaS offering. 7. Approximately how many customers utilize the Service? Answer: More than Are any customers available for discussing Service satisfaction with potential customer? Answer: Yes. Introductions will be provided on request. 9. Are any Service customers in the healthcare, financial, or government industries? Health Care industry customers include: Advanced BioScience Laboratories,Inc Lagniappe Health Companies xg Health Solutions CGNet - Sonitus Medical The Center for Wound Healing Restorix Health FirstCare Health Plans Virgin Care NextMed, Inc. Medidata Solutions N - Pharma, Ltd. Alaris Health Victor Chang Cardiac Research Institute Augusta Health Financial industry customers include: Dun & Bradstreet Bluegarden A/S The Riverside Company PRA Group OSTC Limited KeyPoint Credit Union Yapstone Sberbank AG Lucania Gestion Keesler Federal Credit Union Page 3

4 Government customers include: WA Health Benefit Exchange VA Office of the Attorney General WI Economic & Development Commission Cochise County City of Raleigh DC Government Town of Cary Parsons - Dept of Labor 10. Are any Service customers in the US publicly traded? Publicly traded companies that are customers of Samanage include: Vocus Dun and Bradstreet Fugro Oxford Immunotec Ticketmaster Punch Taverns Marin Software Fraser and Neave Medidata Rocket Fuel Select Comfort Envestnet 11. Does the Service provide support for SOX, HIPAA, and/or PCI compliant processes? Please provide supporting information. Answer: Yes. Samanage takes compliance seriously. For more information on our processes and policies not contained in this document, please see Trust & Transparency ( samanage.com/trust) and additional FAQs ( 12. Are there customers who are required to comply with HIPAA? Answer: Health care providers, health plans, and health care clearing houses are required to comply with HIPAA requirements to protect the privacy and security of health information. In 2009, HIPAA rules extended to business associates of covered entities, including entities or persons that provide data transmission services to a covered entity and require routine access to protected health information (PHI); subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate; and vendors that offer personal health records to one or more individuals on behalf of a covered entity. Read the Samanage HIPAA policy ( 13. Is Samanage willing to execute a NDA/confidentiality agreement with customer? Answer: Yes. Please contact Samanage for more information. Page 4

5 14. Are any 3rd party services utilized by Samanage to provide the Service? If so, please describe. Answer: Samanage servers are hosted with Amazon Web Services. For complete details on our data centers, please see Trust & Transparency ( on the Samanage website. 15. How many developers are allocated to the Service full time? Answer: Twenty 16. How many support staff are allocated to the Service full time? Answer: Nine DATA CENTERS 1. Please provide the names and locations of all data centers used to provide the Service: Answer: Samanage is hosted with Amazon Web Services on the east coast of the United States (Northern Virginia region). 2. Please indicate data center tier(s), and how frequently data centers are tested for compliance: Answer: Please see 3. Do you measure the performance and effectiveness of your contracted data centers? Answer: Yes. Samanage monitors the performance and effectiveness of data centers on a regular basis. Please see the Samanage system status page ( Page 5

6 4. Please provide a brief description of a data center catastrophic failure scenario (i.e. what can be expected in regards to the Service and Customers data in the event of a failure). Answer: Samanage has implemented a Disaster Recovery program designed to allow us to operate the Samanage service without losing any customer data. Built using Amazon EC2 and S3 infrastructure services, our system and backups will reside in 4 separate availability zones in the Amazon East Coast (Virginia) data center - separate availability zones means that each has its own power/security etc. An additional database replication which will be located in a totally separate Amazon geographical region. 5. Are data center controls audited by an accredited 3rd party? If yes, please provide copies of SAS 70, SSAE 16, or other applicable reports. Answer: Yes. For additional information please see 6. Provide a description of the access and physical security controls utilized at the data center(s). Answer: The data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. 7. Provide a description of environment controls utilized at the data center(s). Answer: AWS provides fault tolerant web architectures and a world class network infrastructure that is carefully monitored and managed. For more information, please see Amazon Web Services: Overview of Security Processes ( whitepapers/security/aws%20security%20whitepaper.pdf). 8. Provide a description of the power architecture at the data centers(s). Answer: AWS provides fault tolerant web architectures and a world class network infrastructure that is carefully monitored and managed. For more information, please see Amazon Web Services: Overview of Security Processes ( whitepapers/security/aws%20security%20whitepaper.pdf). Page 6

7 9. Provide a description of the network architecture at the data center(s). Answer: AWS provides fault tolerant web architectures and a world class network infrastructure that is carefully monitored and managed. For more information, please see Provide a description of the fire detection and suppression systems employed by the data center(s). Answer: Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet pipe, double interlocked pre action, or gaseous sprinkler systems. 11. What protection mechanisms and techniques are utilized in the data centers providing the Service (firewalls, intrusion detection, monitoring, etc)? If multiple data centers (production and/or backup) exist, also include a description of data protection between centers. Answer: AWS provides fault tolerant web architectures and a world-class network infrastructure that is carefully monitored and managed. For more information, please see Amazon Web Services: Overview of Security Processes ( Security/AWS%20Security%20Whitepaper.pdf). 12. Do data center staff undergo background checks? Answer: Yes. Samanage and AWS have established formal policies and procedures to delineate the minimum standards for logical access to the Samanage and AWS platform and infrastructure hosts. Samanage and AWS conduct criminal background checks, as permitted by law, as part of pre-employment screening practices for employees and commensurate with the employee s position and level of access. These policies also identify functional responsibilities for the administration of logical access and security. Page 7

8 DATA SECURITY 1. Do you have a disaster and recovery plan that fully includes all aspects of the Service? Answer: Yes, we have implemented a Disaster Recovery program designed to allow us to operate the Samanage service without losing any customer data. Built using Amazon EC2 and S3 infrastructure services, our system and backups will reside in 4 separate availability zones in the Amazon East Coast (Virginia) data center - separate availability zones means that each has its own power/security etc. An additional database replication which will be located in a totally separate Amazon geographical region. 2. Describe the Service tenancy model (hosted, single, multi, etc). Answer: Multi-Tenant 3. Describe how Customers data is isolated from the data of other customers. Answer: The multi-tenant database is separated by unique keys. All customer data in our database is also scoped with an additional column in the database which contains a customer ID which is unique. This means that each data item in the database (e.g. incident, computer, mobile, change, etc.) is always scoped uniquely to a singular account. Each and every access to the application database must contain within it also this unique identifier. 4. Please provide a description of the data backup mechanisms used to backup and restore the Service and data, including frequency and retention periods. Answer: As the first level of data protection, all customer data is continually backed-up to local disk and every night to an offsite location. Your data is safe and your information can be quickly restored if needed. All necessary precautions are taken to ensure privacy, security and retrievability of your account information. 5. Describe restoration testing procedures and frequency. Answer: Constant redundancy with daily offsite backups. Page 8

9 6. Please provide copies of all policies regarding customer data. Answer: Please see the Samanage Privacy Policy ( and the Samanage Master Service Agreement ( More information can be found on the Trust & Transparency ( page of the Samanage website. 7. Describe who has access to customer production and backed-up data, and the automatic and procedural controls in place to prevent unauthorized internal access (by staff, contractors, or other). Answer: Individuals with customer facing positions and those who have access to customer data have received training on our Privacy Policy. This includes employees from Sales, Engineering, Customer Support and Finance. All new employees who fit into this category will receive the same training. Privacy Policy training is incorporated into Samanage new hire training and HR policies as well as the Samanage Employee Handbook. Awareness of and adherence to the Privacy Policy is also included in the employment contracts for all employees. Selected team members who have access to customer data in order to provide the services that customer s have contracted for receive additional training. 8. Please describe how passwords are stored in the Service. Answer: See Customer Data section of our Privacy Policy ( privacy.html) In transit we use an SSL certificate with key length of 2048 bits to encrypt the passwords. Passwords in the database are hashed with MD5 (128 bits) and we use a random Salt encrypted with SHA1 (160 bits) to create a hashed password. 9. Is customer data encrypted in production? In backup? If yes, who has access to the keys? Answer: All data is encrypted in transfer and at rest and all access to the service is governed by strict password security policies. Only selected employees have access to the keys. These employees receive special training and are selected based on the roles required for Samanage to provide the service that our Customers have contracted for. Page 9

10 10. How are security breaches communicated to customers (method and timeliness)? Are all breaches, including internal breaches shared? Answer: Yes, breaches are communicated in multiple ways. All breaches will immediately be assigned the highest severity and will be escalated to all levels of management. Customers will be notified immediately and the Samanage Status page will be periodically updated to provide close to real-time information. 11. How many security breaches have been reported in the past 3 years? Answer: None 12. How quickly are Service security flaws patched? Answer: Immediately. We are working everyday to make our service more secure and up to date with the latest security technology. Penetration testing is run as an integral part of our Engineering process and any flaws that might be detected will immediately be treated as high priority and resolved according to internal SLAs. 13. Is access to the Service provided via secure means (encryption, etc)? Please describe. Answer: Samanage protects customer data by ensuring that only authorized users can access it using their username and password. Account Administrators can assign security rules that define which users in their company or partners have access to the data based on user s roles. All communication between the user s browser and Samanage is encrypted via SSL. 14. In what instances/scenarios would Service data travel unencrypted/unprotected over the public Internet or any network? Answer: Samanage application data will never travel unencrypted/unprotected over the public Internet or any other network. All data is encrypted in transfer. Page 10

11 DATA OWNERSHIP AND AVAILABILITY 1. Please describe the mechanisms through which Customers can request and receive full copies of its data (including audit trails) in a standard, human readable electronic format (i.e. CSV). Also include allowed request frequency. Answer: Customers can receive a weekly scheduled backup of all their data in CSV format. Customer data can also be manually exported to CSV at any time. For more information see our Master Service Agreement ( 2. How long are (undeleted) customer records stored in the service retained and accessible? Answer: Please see our Master Service Agreement ( for more information. 3. Are records deleted by the customer available for retrieval? Describe the process and retention period. Answer: No. Customer records that are deleted cannot be retrieved, except for extenuating circumstances under which a request can be made by the Customer and Samanage will research the possibility of retrieving individual records. 4. Please provide a description of your policy regarding data ownership and availability should the Service be discontinued or sold. Answer: Please see our Master Service Agreement ( for more information. 5. Please provide a description of your policy regarding data ownership and availability should Customer fail to meet its payment obligations. Answer: Please see our Master Service Agreement ( for more information. Page 11

12 6. Will any Customers data/information be shared with any 3rd party for any reason? If yes, please describe. Answer: No. This is addressed under the Customer Data section of the of the Samanage Privacy Policy ( SERVICE LEVEL 1. Please provide Service availability statistics for the past 12 months. Answer: Please see the Samanage system status ( page. SUPPORT 1. Please describe the level of technical support included with the service, including business hours and expected response & resolution times. Answer: Please see the Customer Support Policy ( 2. Describe any additional support levels available for subscription. Answer: Yes. Please contact your Account Manager for further details. Customer support satisfaction is published on the Samanage Customer Support page ( com/home) 3. Please describe, in general, the qualifications of your support staff at all tiers. Answer: All support staff are qualified according to the standards set by the management team to ensure that Samanage maintains it excellence as a SaaS vendor. 4. Will an account representative be dedicated to my account? Answer: Depending on the level of service subscribed to, a Customer Success Representative may be assigned. However, all customers have free and unlimited access to Onboarding/Activation Webinars that are conducted at least twice every week. Page 12

13 SERVICE CHANGES 1. Please describe the mechanism(s) through which service enhancements or bug fixes are introduced into production. Answer: We publish all new features and service enhancement in our customer community: 2. How will customers be notified about changes to the production Service? Answer: Customers can subscribe to the Samanage system status page ( samanage.com) to get notified of known issues, and participate in the customer community ( for notifications on new service capabilities. 3. Describe the process should a production modification have a negative impact on customers data or configuration. Answer: Please contact Samanage support ASAP and the issue will be escalated. support@samanage.com or call INTEGRATION 1. Does your service provide an API accessible by customers? If yes, please provide a description of the API architecture (SOAP, REST, etc). Answer: Yes, We support RESTful access to the entire service. The API is documented at Examples and use cases for using the API can be found at the customer community ( We recommend using curl for developing and testing out the various features that the API offers. Another online option to curl is hurl. 2. Please provide a description of the API security model if it differs from the standard interface. Answer: The API supports user/password as well as HTTP digest authentication. Please see above for API documentation. Page 13

14 3. Please provide any limitations imposed on the API (number of transactions, CRUD restrictions, inaccessible objects, etc). Answer: Customer may not use the API in a manner, as reasonably determined by Samanage, that exceeds reasonable request volume or constitutes excessive or abusive usage. If any of these occur, Samanage can suspend or terminate the Customer s access to the API on a temporary or permanent basis. See the Master Service Agreement for more information ( CUSTOMER RESPONSIBILITIES 1. If applicable, please provide configuration or usage instructions that the customer must follow to ensure data security and Service performance. Answer: Please see our Master Service Agreement ( for complete information on customer responsibilities. Page 14