EXP Logo
Title Image for Information Security

Information Security

EXP understands that the confidentiality, integrity, and availability of our customers’ information are vital to their business operations and our own success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our application, systems, and processes to meet the growing demands and challenges of security.

Data Centers

Our service is collocated in top-tier data centers. These facilities provide carrier-level support, including:

Access Control and Physical Security

  • Our datacenter facilities throughout North America and Europe have been certified according to SSAE 16, ISO 27001:2005, ISO 14001:2004 and OHSAS 18001:2007 requirements.
  • These facilities are designed to meet the stringent standards for security processes and operational controls that Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley and other regulations require.
  • These facilities are designed to maintain the processes and controls for security, network, power, redundancy, cooling and fire suppression.
  • 24×7 onsite security staffing and site access.
  • CCTV surveillance.
  • Dual authentication biometric and badge access control, and mantraps.

Network Security

  • IPSec VPN via vShield Edge.
  • Cloud Connect for Direct MPLS/P2P.
  • Fully Managed Intrusion Detection Systems/Intrusion Prevention Systems.
  • Firewall services.
  • Dedicated Sonicwall NSA series are deployed in Active Failover with High Availability and Load Balancing. High Frequency Stateful Packet Inspection and Intrusion Prevention secures the infrastructure and applications. VPN Layer allows for secure access to Servers, Applications and Databases.
  • Cloud security:
  • Role-based access controls.
  • VM compliance, log monitoring & reporting.
  • Data encryption.

Network Protection

  • Stateful Deep Packet Inspection and Intrusion prevention is configured within our hardware firewall.
  • VPN Layer allows only authorized personnel access to the servers network.

Power

  • N+1 or greater redundancy on power and cooling.

Applications & Data Security

EXP security teams are dedicated to ensuring your applications and data stay secure and available.

Application Environments

  • 3-Tier application environment.
  • Environments are only accessible via VPN firewall.
  • Strong internal controls and policies dictate access to environments.
  • Customers have the option of shared or dedicated environments.
  • Security patches are regularly applied to operating system, database and other server applications.

Authentication Security

  • EXP Direct Authentication:
  • Authentication direct to EXP applications uses forms authentication to SQL Server and ASP.Net SQLMembershipProvider.
  • Customer Provided Authentication:
  • AD/LDAP/ADFS options available.
  • Windows Authentication options available.
  • HTTPS & SSL Security with Industry Standard Policies.

Application Connectivity

  • Connections to EXP applications are secured using HTTPS with current industry-standard TLS encryption. Deprecated SSL protocols, including SSL 3.0, are not supported for application connectivity. TLS certificates are currently issued through Let’s Encrypt, a widely trusted public Certificate Authority supported by major technology platforms and root programs, including Microsoft, Google, Apple, and Mozilla.
  • Individual user sessions are identified and re-verified with each transaction, using a CSRF token created on each form.
  • IP filtering can be enabled to ensure denial of access.

Backups

  • Backups are encrypted.
  • Frequency – Daily / every 24 hours.
  • Retention – Daily backup for 7 days, Weekly backup for 4 weeks and Monthly backup for 6 months.

Disaster Recovery

  • 48 hour recovery after complete failure (maximum allowable downtime).
  • Disaster recovery tests verify our projected recovery times and the integrity of the customer data.

Governance and Security Management

Security Management

  • EXP maintains an extensive set of internal controls and procedures to ensure compliance and operate in a proactive nature.

Application Vulnerability Threat Assessments

  • Network vulnerability threat assessments.
  • Penetration testing and code review.
  • Security control framework review and testing.

Security Monitoring

  • EXP monitors notifications from various sources and alerts from internal systems to identify and manage threats.

Testing and Control

  • EXP conducts regular code reviews to ensure proper security standards are followed and to help prevent vulnerabilities such as XSS, CSRF spoofing, and SQL injection. Exception management in production environments is handled securely, including protection of sensitive technical details such as stack traces, SQL statement fragments, table names, and database names.

Data Protection and Privacy

  • Where applicable, EXP supports customer data protection requirements through a Data Processing Agreement (DPA). The DPA documents EXP’s commitments regarding the processing, safeguarding, retention, return, and deletion of Customer Data, as well as applicable sub-processor and privacy obligations.